Modern AI image tools mark their output in three different ways, and most people only know about one of them. I built an open-source tool to handle all three, and this post is about how each mark actually works and, honestly, how removable each one is.
The three layers:
- Visible marks. The Gemini / Nano Banana sparkle in the corner, the ByteDance Doubao and Jimeng text strips, the Samsung Galaxy AI wordmark. These are pixel overlays.
- Invisible pixel watermarks. Google SynthID is the big one. It perturbs pixels in a way you cannot see but a decoder can read.
- Provenance metadata. C2PA Content Credentials, EXIF / XMP generator tags, the IPTC "Made with AI" field, China's TC260 AIGC label. This is data attached to the file, not the pixels.
They have very different removability, and that is the interesting part.
Read the provenance first
Before removing anything, it helps to know what is actually in an image. The tool has an identify command that aggregates every locally-readable signal into one verdict:
remove-ai-watermarks identify image.png
It reads:
- The C2PA manifest issuer, mapped to a platform (OpenAI, Google, Adobe Firefly, Microsoft, Black Forest Labs, and so on).
- The C2PA soft-binding algorithm, which names the forensic-watermark vendor (Adobe TrustMark, Digimarc, and others).
- EXIF / XMP generator tags. Ideogram, for instance, writes
Make = "Ideogram AI". - The IPTC "Made with AI" disclosure fields.
- xAI / Grok's own EXIF signature scheme.
- The visible mark, via a shape-matched detector.
- A SynthID proxy, inferred from the C2PA manifest of vendors known to pair the two.
It also flags integrity clashes: if two independent stamps disagree about who generated an image (say a C2PA OpenAI manifest plus an EXIF Make of "Ideogram AI"), that contradiction is a laundering tell. The detection side turned out to be the more interesting half to build, and it is the part with almost no competition.
Removing visible marks: reverse alpha, not inpainting
The obvious way to remove a corner logo is to inpaint over it. That hallucinates pixels and leaves a smudge. The better way, when the mark is a fixed overlay, is reverse alpha blending.
A visible watermark is an alpha composite:
watermarked = alpha * logo + (1 - alpha) * original
If you capture the logo's alpha map once, by stamping it on a known background, you can invert the equation and recover the original pixels:
original = (watermarked - alpha * logo) / (1 - alpha)
For the Gemini sparkle on a bright background this is near-exact. No inpainting, no hallucination. The text marks re-rasterize slightly per image, so they get a thin residual inpaint on top, but the bulk is recovered, not invented.
remove-ai-watermarks visible image.png -o clean.png # auto-detect
remove-ai-watermarks visible image.png --mark gemini -o clean.png
It runs on CPU, no model download.
Removing metadata
This one is simple and lossless. The metadata lives in the file's containers, not in the pixels, so stripping it never touches the image:
remove-ai-watermarks metadata image.png --check # inspect
remove-ai-watermarks metadata image.png --remove -o clean.png
It handles C2PA, EXIF, IPTC, and PNG text chunks across PNG, JPEG, WebP, AVIF, HEIF, and even MP4 (which is just ISOBMFF, like AVIF).
The hard one: SynthID
Here is the honest part. There is no public SynthID decoder. Google DeepMind's own paper states the verifier is restricted to trusted testers, and they do not release detector weights. A local pixel detector is infeasible by design, not just unbuilt. So the tool detects SynthID only by its C2PA companion, which is reliable while the manifest is intact and silent once you strip it.
Removal is a different problem. Since you cannot read the watermark, you cannot surgically remove it. The approach is a light regeneration: a low-strength SDXL img2img pass that perturbs the pixels enough to break the watermark, with a canny ControlNet conditioning the regeneration on the original edge map so text and faces keep their structure.
remove-ai-watermarks invisible image.png -o clean.png
The caveats, because they matter:
- It is lossy. A regeneration softens fine detail. The visible-mark and metadata paths above are lossless; this one is not.
- It is content-dependent and not guaranteed. How much you need to regenerate depends on the image, and there is no local oracle to self-verify. You confirm with the Gemini app's "Verify with SynthID" feature, and raise the strength if it still detects.
- It does not defeat AI-vs-real classifiers. Tools like Hive Moderation are trained statistical detectors, a different thing from a watermark. A light diffusion pass will not reliably fool them, and that is out of scope on purpose.
- It is an arms race. A vendor can change the scheme whenever they want.
I would rather state these plainly than ship a tool that overclaims.
On whether any of this should exist
Watermarking is a weak trust signal to begin with. A marker that is almost always present yet trivially removable can make a cleaned forgery look more trustworthy, not less. Durable provenance is more likely to come from signing genuine content than from watermarking synthetic content. Half of what this tool ships is identify, which reads provenance rather than removing it, and the legal limits on removing an AI label are spelled out in the README.
Install
pip install remove-ai-watermarks
# or
brew install wiltodelta/tap/remove-ai-watermarks
There is also a ComfyUI node pack if you live in that world. It is Apache 2.0 and open source:
https://github.com/wiltodelta/remove-ai-watermarks
If you find a case where a visible mark leaves a trace, the repo is the place to tell me.
Top comments (0)