[REVIEW] model-supply-chain: add serialization safety evidence gates

[malb200710-dev]

Skill reviewed

skills/ai-security/model-supply-chain/SKILL.md

Gap

The current model supply-chain review mentions unsafe deserialization, but it does not force reviewers to build a complete evidence trail for model serialization safety: actual artifact format, loader API, explicit loader flags, framework-version default behavior, safetensors conversion provenance, and executable-code escape hatches such as trust_remote_code=True.

False-positive scenario

A team verifies a model checksum and marks the model artifact as safe. The model still loads from a pickle-backed .bin, .pt, or .pth checkpoint through torch.load, from_pretrained, a conversion script, or a compatibility shim. The checksum proves byte stability, but the loader can still execute code or rely on unsafe framework defaults.

Missed variants

• Production or CI calls torch.load without an explicit weights_only=True, or sets weights_only=False to keep legacy checkpoints working.
• from_pretrained can fall back to pickle-backed weights because use_safetensors is absent or false.
• Safetensors conversion downloads and deserializes the unsafe source artifact first, but the conversion environment, source digest, converter version, and output digest are not recorded.
• trust_remote_code=True or custom model classes execute registry-provided code without pinned revision and code-owner approval.

Edge cases

A legacy checkpoint may need one-time unsafe loading, but that should happen only inside an isolated conversion job with no production secrets, no broad filesystem access, no network egress, and a signed non-pickle output artifact promoted to production. Public safetensors artifacts are still not proof against poisoned weights or backdoors; this gate only covers executable deserialization risk.

Proposed remediation

Add a serialization safety evidence gate, detection patterns, evidence table, output fields for loader safety, finding classifications, and a common pitfall covering unsafe checkpoint conversion provenance.

Bounty note

If accepted under the project bounty terms, payment details can be provided privately through the maintainer's preferred channel.

[malb200710-dev]

Implemented this review as PR #2289: #2289

Scope: serialization safety evidence gate for pickle-backed checkpoints, explicit weights_only / use_safetensors loader controls, safetensors conversion provenance, trust_remote_code review, and loader-safety output reporting.

[JamesJi79]

/attempt #2288

Will submit VALID GAP analysis shortly.

[JamesJi79]

/attempt #2288

VALID GAP - model-supply-chain: add serialization safety evidence gates

Why Valid (FP confirmed)

The issue correctly identifies that verifying a model checksum alone is insufficient assurance when the model artifact is still loaded through unsafe deserialization (pickle-backed .bin/.pt/.pth via torch.load or from_pretrained without safetensors). A team that only checks the checksum and marks the artifact as safe is making a false-positive assumption because checksum proves byte stability but not loader safety.

Coverage Gaps

Gap 1 - from_pretrained fallback to pickle - HuggingFace from_pretrained can fall back to pickle-backed weights when use_safetensors is absent or explicitly set to False, even when safetensors files exist in the repo. Need gate: Evidence that use_safetensors=True is enforced in all model loading code or that no pickle-backed weight files exist.

Gap 2 - trust_remote_code=True without pinning - Setting trust_remote_code=True on custom model classes allows registry-provided code execution during loading. Without pinned revision and code-owner approval, this is an arbitrary code execution vector. Need gate: Evidence that trust_remote_code uses pinned commit revisions and has documented code owner approval.

Gap 3 - Safetensors conversion provenance - Conversion scripts that download the original unsafe artifact, convert to safetensors, then promote the output still have an unrecorded conversion environment, source digest, converter version, and output digest, making the conversion step itself a potential tamper point. Need gate: Evidence of recorded conversion provenance including source digest and converter identity.

Suggested Gates

MOD-SER-01: Loader safety enforcement - Evidence that all model loading code uses safetensors or explicit weights_only=True, and that from_pretrained calls include use_safetensors=True. Source: SAST scan for unsafe torch.load patterns, code review of model loading entry points.

MOD-SER-02: trust_remote_code controls - Evidence that any trust_remote_code=True usage is pinned to a specific commit revision and approved by code owner. Source: pinned commit hash in model config, approval record.

MOD-SER-03: Conversion provenance - Evidence that safetensors conversion artifacts include source artifact digest, converter version, conversion environment isolation (no secrets/network egress), and output digest verification. Source: CI pipeline logs, artifact metadata.