Back to Details

model-scanner

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Model Scanner — ML Supply Chain Security

Model Scanner — ML供应链安全

Multi-scanner security analysis with risk scoring and global compliance mapping. Zero configuration.
具备风险评分与全球合规映射功能的多扫描器安全分析工具。零配置。

How You Should Behave

操作规范

When this skill triggers, you assess ML model security posture. Not just "scan files" but "inventory, score, map to compliance, and tell them what to fix."
当触发该技能时,需评估ML模型的安全态势。不仅要“扫描文件”,还要完成“清点、评分、合规映射,并告知整改内容”的完整流程。

Step 1: Discover What's Here

步骤1:清点现有资产

Before scanning, explore the workspace for model files and HuggingFace configs:
bash
find . -type f \( -name "*.pkl" -o -name "*.pt" -o -name "*.pth" -o -name "*.bin" -o -name "*.safetensors" -o -name "*.onnx" -o -name "*.gguf" -o -name "*.joblib" -o -name "*.h5" -o -name "*.npy" \) 2>/dev/null
Check 
config.json
files for HuggingFace metadata (
_name_or_path
, 
trust_remote_code
, 
auto_map
).
扫描前,先探查工作区中的模型文件与HuggingFace配置文件:
bash
find . -type f \( -name "*.pkl" -o -name "*.pt" -o -name "*.pth" -o -name "*.bin" -o -name "*.safetensors" -o -name "*.onnx" -o -name "*.gguf" -o -name "*.joblib" -o -name "*.h5" -o -name "*.npy" \) 2>/dev/null
检查
config.json
文件中的HuggingFace元数据(
_name_or_path
trust_remote_code
auto_map
)。

Step 2: Run the Scanner

步骤2:运行扫描器

bash
uv run scripts/scan.py <path-or-hf-model-id> [--verbose] [--json]
The script handles everything: auto-installs scanners, discovers files, runs 4 scanners with format-aware routing, calculates risk score, maps to compliance frameworks, and suggests remediation.
bash
uv run scripts/scan.py <path-or-hf-model-id> [--verbose] [--json]
该脚本可处理所有流程:自动安装扫描器、发现文件、运行4款具备格式感知路由的扫描器、计算风险评分、映射至合规框架,并给出整改建议。

Step 3: Present Results

步骤3:呈现结果

The scanner output has 5 sections. Present them in order:
  1. Inventory — what models exist, what formats, which are HuggingFace models
  2. Assessment — per-file verdicts (MALICIOUS/SUSPICIOUS/SAFE/FORMAT_SAFE)
  3. Risk Score — 0-100 with breakdown of what caused deductions
  4. Compliance — PASS/FAIL/WARN against ISM-2072, EU AI Act, OWASP, MITRE, NIST
  5. Remediation — ordered list of what to fix, most urgent first
Lead with the worst findings. If something is MALICIOUS, say so immediately.
扫描器输出包含5个部分,需按顺序呈现:
  1. 资产清单 — 现有模型的类型、格式,以及哪些是HuggingFace模型
  2. 评估结果 — 每个文件的判定结果(MALICIOUS/恶意、SUSPICIOUS/可疑、SAFE/安全、FORMAT_SAFE/格式安全)
  3. 风险评分 — 0-100分的评分,以及扣分原因明细
  4. 合规性 — 针对ISM-2072、EU AI Act、OWASP、MITRE、NIST框架的通过/失败/警告状态
  5. 整改建议 — 按优先级排序的整改清单,最紧急的项排在最前
优先展示最严重的发现。若检测到恶意内容,需立即告知用户。

Step 4: HuggingFace-Specific Advice

步骤4:HuggingFace专属建议

When you detect HF models, offer options:
  • Scan local files only
  • Check HuggingFace for the full model (may have SafeTensors version)
  • Compare formats available on HF vs locally
Always flag 
trust_remote_code
and 
auto_map
— these load arbitrary Python that model scanners don't analyze.
当检测到HF模型时,提供以下选项:
  • 仅扫描本地文件
  • 检查HuggingFace上的完整模型(可能提供SafeTensors版本)
  • 对比HF平台与本地的可用格式
需特别标记
trust_remote_code
auto_map
— 这些配置会加载任意Python代码,而模型扫描器无法分析此类代码。

Step 5: Compliance Questions

步骤5:合规性问题处理

When the user asks "are we ISM-2072 compliant" or "EU AI Act" or "OWASP LLM06", read 
references/compliance-frameworks.md
for detailed control text and how-to-comply guidance.
当用户询问“我们是否符合ISM-2072合规要求”或“EU AI Act合规性”或“OWASP LLM06”时,查阅
references/compliance-frameworks.md
获取详细控制文本与合规指导。

Scanners (4 independent approaches)

扫描器(4种独立方案)

ScannerApproachStrength
FicklingAllowlist + decompilerBlocks unknown imports by default
ModelScanDenylist staticBroadest ML format support
PickleScanDenylist staticHuggingFace parity
ModelAuditMulti-format static42+ formats, config analysis
Format routing prevents false positives: pickle scanners only run on pickle files, ModelAudit handles configs/safetensors.
扫描器实现方式优势
Fickling白名单+反编译器默认阻止未知导入
ModelScan静态黑名单支持最广泛的ML格式
PickleScan静态黑名单与HuggingFace功能对齐
ModelAudit多格式静态分析支持42+种格式,可分析配置文件
格式感知路由可减少误报:pickle扫描器仅处理pickle文件,ModelAudit负责处理配置文件与safetensors文件。

Risk Score

风险评分

Starts at 100, deducts for risk factors. Bands: 90-100 GOOD, 70-89 MODERATE, 50-69 POOR, 0-49 CRITICAL. Breakdown shows exactly what caused each deduction.
初始分为100分,根据风险因素扣分。评分区间:90-100分(良好)、70-89分(中等)、50-69分(较差)、0-49分(严重)。评分明细会列出每项扣分的具体原因。

Compliance Frameworks

合规框架

Maps every finding to controls across 5 frameworks:
  • ISM (Australia): ISM-2072, ISM-2086, ISM-2087, ISM-2092
  • EU AI Act: Article 15 (robustness against model poisoning)
  • OWASP LLM Top 10: LLM06 (Supply Chain Vulnerabilities)
  • MITRE ATLAS: AML.T0010 (ML Supply Chain Compromise)
  • NIST AI RMF: MAP 3.4, MANAGE 2.4, MANAGE 4.1
所有发现都会映射至5种框架的控制要求:
  • ISM(澳大利亚):ISM-2072、ISM-2086、ISM-2087、ISM-2092
  • EU AI Act:第15条(抗模型投毒的鲁棒性)
  • OWASP LLM Top 10:LLM06(供应链漏洞)
  • MITRE ATLAS:AML.T0010(ML供应链 compromise)
  • NIST AI RMF:MAP 3.4、MANAGE 2.4、MANAGE 4.1

Caveats to Always Communicate

需告知用户的注意事项

  1. No scanner is perfect. 133 known bypass techniques. Clean scan does not mean safe.
  2. SafeTensors is not complete. 
    trust_remote_code
    + 
    auto_map
    loads arbitrary Python alongside safe weights.
  3. Compliance requires format change, not just scanning. ISM-2072 mandates non-executable formats.
  4. Dynamic analysis catches more. For critical models, recommend Dyana.
  1. 没有完美的扫描器。目前已知133种绕过技术。扫描结果干净不代表绝对安全。
  2. SafeTensors并非绝对安全
    trust_remote_code
    + 
    auto_map
    会在安全权重之外加载任意Python代码。
  3. 合规性要求格式变更,而非仅扫描。ISM-2072强制要求使用非可执行格式。
  4. 动态分析可发现更多问题。对于关键模型,推荐使用Dyana

References

参考资料

  • references/scanner-landscape.md
    — scanner comparison, bypass techniques, CVE data
  • references/compliance-frameworks.md
    — detailed control text, how to comply per framework
  • references/scanner-landscape.md
    — 扫描器对比、绕过技术、CVE数据
  • references/compliance-frameworks.md
    — 详细控制文本、各框架合规指南