--- license: mit tags: [security-research, picklescan-bypass, modelscan-bypass, poc] --- # PoC: pickle scanner bypass (picklescan + modelscan) — `pathlib.Path.write_bytes` + `sqlite3` load_extension Security-research artifact for a huntr Model File Vulnerability disclosure. `malicious.pkl` is a self-contained pickle that **both `picklescan` 1.0.4 and `modelscan` 0.8.8 report as CLEAN** yet executes native code on `pickle.load`: `pathlib.Path.write_bytes` writes an embedded SQLite extension to `/tmp`, then `sqlite3` `load_extension` loads it. The payload is BENIGN — it only writes a marker file (`/tmp/oneshot_marker`) to demonstrate code execution. Do not load untrusted pickles.