| Model Format | File Extensions | Arbitrary Code Execution | Suspicious Functions | Network Requests | Denial of Service | Suspicious File Format | Decompression Vulnerabilities | Embedded Payloads | Directory Traversal | Arbitrary Read Access | Graph Payload |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Cloudpickle | .pkl, .pickle | x | x | x | x | x | |||||
| Dill | .dill | x | x | x | x | x | |||||
| GGUF | .gguf | x | |||||||||
| HDF5 | .h5, .hdf5 | x | x | x | x | x | x | ||||
| JobLib | .joblib | x | x | x | x | x | |||||
| Keras | .keras, .tf | x | x | ||||||||
| NeMo | .nemo | x | x | x | x | x | x | ||||
| Numpy | .npy, .npz | x | x | x | x | x | |||||
| ONNX | .onnx | x | x | x | |||||||
| Pytorch | .pt, .bin, .zip | x | x | x | x | x | |||||
| Pickle | .pkl | x | x | x | x | x | |||||
| R | .rds (plain and compressed) | x | |||||||||
| Safetensors | .safetensors | x | x | ||||||||
| Skops | .skops | x | |||||||||
| Tensorflow | .savedmodel, .tf, .pb | x | |||||||||
| Zip | .zip | x |
The model scanner recognizes but does not scan the following common file types.
| Category | File Types |
|---|---|
| Documentation | .md (READMEs, release notes) |
| Code Files | .py (scripts), .js (optional), .sh (shell scripts) |
| Config / Metadata | .json, .yaml, .yml, .ini, .cfg |
| Data Files | .txt, .csv, .tsv |
| Git Config Files | .gitignore, .gitattrib |
| TAR | .tar |
If Model Scanner does not support, or is unable to recognize, the type of an input file, it will emit a scan result with empty detections and results.type key set to "unknown".
[
{
"detections": [],
"end_time": 1717543001759,
"file_pointer": "/cmd/modelscan-cli/main.go",
"results": {
"md5": "33d1ed57c6a93d5cd910fd721c9d016e",
"sha256": "1739c813f09d2c90ad676d318832134c22864bc1d4bf4f272b9d7971a4cea007",
"tlsh": "3b360f42d1a3d84e8853d4c5b971a5ce2ae5cf8f87425fa1bd51bc1d4e78a18f20c8be",
"type": "unknown"
},
"scan_id": "1739c813f09d2c90ad676d318832134c22864bc1d4bf4f272b9d7971a4cea007",
"start_time": 1717543001552,
"status": "done"
}
]