I wonder how this tool works if it's actually model independent. My understanding so far was that in principle each possible model has some set of pathological inputs for which the classification will be different than what a user sees - but that this set is basically different for each model. So did they actually manage to build an "universal" poison? If yes, how?