Controlled Joblib Model File Format PoC

This repository contains a controlled model file format security research PoC for .joblib artifacts.

The payload is intentionally non-destructive. It does not perform network access, persistence, credential access, data exfiltration, or destructive actions. It only writes a local marker file when loaded with joblib.load().

Files

01_payload_only.joblib: positive control.
04_sklearn_clean.joblib: clean sklearn Pipeline control.
05_sklearn_attr_payload.joblib: sklearn Pipeline with a controlled load-time marker payload.

Local reproduction

python3.12 -m venv venv
source venv/bin/activate
pip install joblib numpy scikit-learn modelscan
python verify_poc.py

Expected local behavior:

01_payload_only.joblib creates the marker.
04_sklearn_clean.joblib loads and predicts without creating the marker.
05_sklearn_attr_payload.joblib loads, remains a functional sklearn Pipeline, predicts successfully, and creates the marker during joblib.load().

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support