In traditional software, we scan binaries. In AI, we download gigabytes of opaque weights from Hugging Face. This is a massive vulnerability.
The Pickle Problem
Many PyTorch models are serialized using Python's pickle module. A malicious actor can embed arbitrary code execution inside a model file. When you load the model to run inference, the code executes on your server, potentially opening a reverse shell.
The Solution: SafeTensors
We mandate the use of SafeTensors for all model weights. Unlike pickle, SafeTensors is a zero-copy, safe storage format that stores only tensors (numbers), making code execution impossible. We also run a private PyPI mirror and model registry, ensuring no developer pulls unverified weights from the public internet.