YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ModelScan v0.8.8 cloudpickle/dill scanner false negative PoC
Summary
ModelScan v0.8.8 reports no issues for benign canary artifacts serialized with cloudpickle and dill, while controlled local loading of the same artifacts creates a benign marker file.
The same canary pattern is detected when serialized with standard pickle and joblib, suggesting a scanner coverage gap for cloudpickle/dill artifacts.
Files
canary_cloudpickle.pklβ benign cloudpickle canarycanary_dill.pklβ benign dill canaryverify_cloudpickle_dill_load.pyβ controlled local verification scriptmodelscan_cloudpickle.txtβ ModelScan output for cloudpickle artifactmodelscan_dill.txtβ ModelScan output for dill artifactcontrolled_load.txtβ proof that controlled load creates markerenv.txtβ environment versionssha256.txtβ artifact hashes
Reproduction
Run in a local test environment:
python -m venv .venv
source .venv/bin/activate
pip install modelscan==0.8.8 cloudpickle==3.1.2 dill==0.4.1
modelscan -p canary_cloudpickle.pkl
modelscan -p canary_dill.pkl
python verify_cloudpickle_dill_load.py
Expected result
ModelScan reports no issues for both canary_cloudpickle.pkl and canary_dill.pkl.
Controlled loading reports:
exists_after=True
marker_content=serialization canary was loaded
Impact
A cloudpickle or dill model artifact may pass ModelScan with zero findings while still triggering behavior when loaded by an application using cloudpickle.load() or dill.load().
This PoC is benign. It writes a local marker file only.