AI Credential Detection

AI Credential Detection is Nephele Workshop's local metadata scanning tool. It reads the C2PA content credentials, generation parameters, platform declarations, and export traces already present in an image file to determine whether the image carries verifiable evidence of AI generation.

What problems it's good for

AI Credential Detection is well suited to quick screening and evidence organization:

• When you receive an image, check whether it carries metadata left behind by ComfyUI, Stable Diffusion, Midjourney, ChatGPT, Gemini, as well as Chinese tools such as Doubao, Jimeng, Tongyi, Wenxin, and Kling.
• Check whether C2PA Content Credentials are present, whether the signature chain is complete, and whether the credential declares AI generation.
• Determine whether an image was re-encoded by a platform or drawing software, causing the original credentials to be lost.
• Give reviewers "evidence labels they can understand" instead of a pile of raw parameters.

It is not suited to these tasks:

• Judging whether something is AI based on visual style alone.
• Proving that "not detected = human original."
• Detecting every AI image whose metadata has already been lost after screenshotting, re-saving, or recompression.
• Replacing copyright registration, contract review, or a legal chain of evidence.

How to use it

1. Open AI Credential Detection from the toolbox on the left.
2. Drag in images, or click the upload area to choose files.
3. Click Start Scan.
4. View the status and evidence labels for each image in the list.

Common image formats are supported: PNG, JPG/JPEG, WebP, BMP, TIFF.

How to read the result statuses

What counts as strong evidence

Nephele currently prioritizes trusting machine-readable evidence over visual guesswork.

C2PA content credentials

If an image embeds a C2PA manifest, Nephele will read:

• Whether a C2PA manifest exists.
• Whether the signature chain of the active manifest is valid.
• Whether the signing certificate is in the current trust list.
• The claim generator, for example OpenAI or Google C2PA Core Generator Library.
• AI provenance markers, for example trainedAlgorithmicMedia, algorithmicMedia, synthid.
• Statuses such as remote manifest, embedded manifest, and validation issues.

Things to note:

• A valid signature chain means the manifest and the image data hash correspond.
• Certificate not in the trust list does not mean the signature is broken; it only means the local verifier has not included that signer in its trusted roots.
• validation_state=Invalid must be read alongside the specific issue. It may be an ingredient chain, timestamp trust, or certificate trust problem, and does not necessarily mean the current image data was tampered with.

ComfyUI

Raw ComfyUI output usually writes in:

• workflow JSON
• prompt JSON

When this kind of structure is detected, Nephele shows ComfyUI workflow metadata. This counts as strong evidence, because it records the generation nodes and parameters, not a filename guess.

Stable Diffusion family

Common parameter traces from Stable Diffusion WebUI, Forge, SD.Next, and similar tools are supported, for example:

• Steps
• Sampler
• CFG scale
• Seed
• Model hash
• Model
• Negative prompt
• Size
• Clip skip
• Schedule type
• Denoising strength
• Hires upscale

When detected, it shows Stable Diffusion parameters.

NovelAI / InvokeAI / Fooocus

Nephele recognizes the generation metadata commonly produced by these tools:

• NovelAI / nai-diffusion markers, or generation JSON containing uc, sampler, steps, scale.
• InvokeAI's invokeai_metadata or generation JSON.
• Fooocus text metadata and parameter markers.

Midjourney and IPTC/XMP

Midjourney downloads may carry a Job ID or an AI provenance declaration in IPTC/XMP. Nephele shows:

• Midjourney Job ID
• Metadata declares AI generation

National-standard AIGC label (GB 45438-2025)

Following the Measures for Labeling AI-Generated and Synthetic Content, Chinese AI services write a dedicated AIGC label block into the file. Nephele reads this structured field and maps the internal producer codes to their names for display, for example Doubao, Jimeng, ByteDance, Tongyi Wanxiang, Tongyi Qianwen, Wenxin Yige, Tencent Hunyuan, Kling, Zhipu, iFlytek Spark, MiniMax, Hailuo, StepFun, Vidu, LiblibAI, Kimi, SenseTime, 360, and others.

This is a proprietary field that won't be triggered by accident on ordinary images, and counts as strong evidence. If the label explicitly declares "not AI-generated," Nephele will not treat it as AI.

What counts as a weak signal

Weak signals are shown as Weak signal and will not pose as strong evidence.

Common weak signals:

• The filename contains a platform name such as Gemini, Google, or Midjourney.
• A visible Google/Gemini watermark shape.
• The C2PA source shows a particular platform, but the credential itself does not declare AI generation.

Weak signals are good for prompting manual review, but not suitable as the sole basis for a judgment.

Why some AI images can't be detected

AI metadata detection depends on the evidence still being preserved in the file. If an image has gone through any of the following, the credentials may disappear:

• Re-encoded when downloaded from a platform.
• A PNG converted to JPEG or WebP.
• Re-saved by Clip Studio Paint, Photoshop, or a preview tool.
• Processed by a social platform, chat app, or compression website.
• Screenshotted, cropped, collaged, or re-exported.
• The generation tool itself did not write any metadata.

In these cases, Nephele will try to show "Insufficient credentials" or "No credentials found" rather than arbitrarily forcing an AI / non-AI binary.

Typical examples

ComfyUI original

The result is usually:

发现 AI 凭据
ComfyUI 工作流元数据 · 未发现 C2PA 凭证

Meaning: the file contains ComfyUI workflow or prompt JSON, but no C2PA content credential.

ChatGPT / OpenAI image

The result may be:

发现 AI 凭据
C2PA 内容凭证 · 签名有效 · 来源：OpenAI · 凭证声明为 AI 生成

Meaning: the image carries an OpenAI-related C2PA manifest, and the credential declares an AI source.

Gemini image

Gemini images can have various statuses:

• Some only show a Google C2PA source but do not declare AI.
• Some include trainedAlgorithmicMedia, algorithmicMedia, synthid, and can show AI credentials found.
• Some, after post-processing, retain only filename clues or no credentials at all.

This is not a contradiction in the detector, but a result of different export pipelines preserving different C2PA information.

Platform re-encoded image

The result may be:

凭据不足
未发现 C2PA 凭证 · 文件格式与扩展名不一致 · 元数据很少，可能被平台重编码

Meaning: the file itself cannot prove its source. It could be an AI image, or a human work that was processed by a platform.

FAQ

Q: Can this feature judge AI images with 100% accuracy?

No. It only detects the credentials and metadata preserved in the file; it does not make visual style guesses.

Q: Why not connect a visual AI detection model?

Because the false-positive risk is too high. Anime, thick-paint, low-poly, heavily filtered, and heavily compressed images can all be misjudged by visual models. Nephele currently chooses the more conservative evidence-based route.

Q: Does C2PA showing untrusted mean the image was modified?

No. untrusted usually means the local trust list has not accepted that signing certificate. Whether it was modified should be read together with claimSignature.validated, assertion.dataHash.match, validation issues, and similar information.

Q: Can finding no credentials prove it isn't AI?

No. It only means no AI credential or generation metadata that Nephele recognizes was found in this file.

Q: Can the detection result serve as legal evidence?

Not as legal evidence on its own. It is a review and screening tool. For ownership records, use digital timestamping, contracts, platform records, and original project files together to form a chain of evidence.