TwoHamsters: Benchmarking Multi-Concept Compositional Unsafety in Text-to-Image Models

Despite the remarkable synthesis capabilities of text-to-image (T2I) models, safeguarding them against content violations remains a persistent challenge. Existing safety alignments primarily focus on explicit malicious concepts, often overlooking the subtle yet critical risks of compositional semantics. To address this oversight, we identify and formalize a novel vulnerability: Multi-Concept Compositional Unsafety (MCCU), where unsafe semantics stem from the implicit associations of individually benign concepts. Based on this formulation, we introduce TwoHamsters, a comprehensive benchmark comprising 17.5k prompts curated to probe MCCU vulnerabilities. Through a rigorous evaluation of 10 state-of-the-art models and 16 defense mechanisms, our analysis yields 8 pivotal insights. In particular, we demonstrate that current T2I models and defense mechanisms face severe MCCU risks: on TwoHamsters, FLUX achieves an MCCU generation success rate of 99.52%, while LLaVA-Guard only attains a recall of 41.06%, highlighting a critical limitation of the current paradigm for managing hazardous compositional generation.

Key Contributions

Formalizes Multi-Concept Compositional Unsafety (MCCU) vulnerability where individually safe concepts combine to create unsafe semantics
Introduces TwoHamsters benchmark with 17.5k prompts for evaluating compositional safety risks
Evaluates 10 T2I models and 16 defense mechanisms, revealing FLUX achieves 99.52% MCCU generation success and LLaVA-Guard only 41.06% recall

🛡️ Threat Analysis

Input Manipulation Attack

MCCU exploits compositional semantics at inference time to bypass safety filters - prompts use benign concepts that combine to trigger unsafe generation, which is an input manipulation technique to evade NSFW defenses.