What does HackerNews think of picklescan?

Hey, computer, make me a font | Oct 2023

Hmmm. The model is a ckpt instead of a safetensor.

Pondering on whether to keep proceeding trying this out or not...

EDIT: a scan with picklescan[0] found nothing.. exciting.

[0] https://github.com/mmaitre314/picklescan

Facebook LLAMA is being openly distributed via torrents | Mar 2023

I only found this picklescan[0] serving this purpose, but it doesn't seem to be a finished project.

[0] - https://github.com/mmaitre314/picklescan

Planting Undetectable Backdoors in Machine Learning Models | Feb 2023

Expand Context ↕

It's Python's serialisation format: https://docs.python.org/3/library/pickle.html

There are tools to check the format for suspicious behaviour: https://github.com/mmaitre314/picklescan seems to be the most developed one.

You can also check the format manually (being careful not to call into it), like demonstrated by this more rudimentary scanner: https://github.com/zxix/stable-diffusion-pickle-scanner

It you do check for security issues yourself, you'll need to read up on what magical methods/variables may cause code execution. Simple demonstrations of dangerous code can be found all over the web (https://stackoverflow.com/questions/47705202/pickle-exploiti...) but I'm sure there are obfuscation tricks that simple scans won't catch.