We often talk about "AI Security" in the context of Prompt Injection or Jailbreaking. But there is a much more boring, yet dangerous layer underneath: The Supply Chain.
We assume that if a model is on Hugging Face, it works. We assume that if the repo says "Apache 2.0", it’s safe for commercial use. We assume that the file we download is the file the author uploaded.
I decided to test these assumptions.
I took a random sample of 2,500 models from the "Trending" and "New" sections of Hugging Face and ran them through Veritensor, an open-source auditing tool designed to deep-scan model artifacts (Pickle, PyTorch, Safetensors).
The results were not catastrophic, but they were messy. Here is what the data says about the state of MLOps hygiene in 2025.
1. The "Fake" Models (Integrity Failure)
The most frequent critical error wasn't malware. It was corruption.
I found 16 instances where the file downloaded did not match the cryptographic hash recorded in the repository.
- The Diagnosis: In almost all cases, this was a Git LFS (Large File Storage) failure. The repository contained a 130-byte text pointer instead of the actual 4GB model weights.
- The Risk: If you pull this into a production pipeline, your application crashes with obscure errors like
UnpicklingErrororHeader too large. It’s a stability nightmare that standard tools likewgetorpipdon't warn you about until runtime.
2. The License Trap
Legal risk is the new security risk.
I found5 models that were publicly available but contained restrictive metadata inside the files:
cc-by-nc-sa-4.0(Non-Commercial)cc-by-nc-sa-3.0
These licenses were embedded in the safetensors headers. A developer simply downloading these weights might miss the license file in the repo, integrate the model into a SaaS product, and expose the company to IP litigation.
3. Shadow Dependencies (The "YOLO" Problem)
This was the most surprising finding. Roughly 50 models in the sample were not self-contained. To load them, the runtime environment required specific third-party libraries installed.
The most common offender? **Ultralytics (YOLO). \ Dozens of models implicitly imported ultralytics.nn.modules. If you try to load these models in a clean PyTorch environment, they fail. From a security perspective, this is "Shadow IT"—your model is forcing dependencies that you didn't explicitly approve.
4. The Obfuscation False Positives
The scanner flagged 11 files for using STACK_GLOBAL—a mechanism often used by malware to hide function calls.
Upon manual review, these turned out to be artifacts from older versions ofnumpy and scikit-learn.
However, this highlights a massive problem: Legacy serialization looks exactly like malware. We are building the future of AI on top of a serialization format (Pickle) so archaic that we can't easily distinguish between a 5-year-old array and a reverse shell.
Conclusion
The AI ecosystem is fragile. It is full of broken pointers, restrictive licenses hiding in binary headers, and implicit dependencies.
If you are building an AI platform, you cannot blindly trust the artifacts. You need a gatekeeper in your CI/CD.
The Data: I have uploaded the full logs of the scan (CSV + JSON) so you can see the specific errors and Repo IDs.
📂 Download the Research Data (Google Drive)
(Tool used for analysis: Veritensor)