About PickleScan

PickleScan is a free, browser-based security scanner for Python pickle files. It analyzes pickle bytecode without executing it, detecting dangerous opcodes and malicious imports that could compromise your system.

Why Pickle Files Are Dangerous

Python's pickle module is widely used to serialize and deserialize objects. However, pickle files are not just data — they can contain arbitrary code that executes when the file is loaded.

When you call pickle.load() or torch.load(), the pickle file can:

• Execute system commands (os.system("rm -rf /"))
• Download and run malware
• Steal your SSH keys, tokens, or credentials
• Exfiltrate data to remote servers
• Install backdoors or keyloggers

This is especially dangerous when downloading ML models from public sources like HuggingFace, GitHub, or research papers. A malicious model can look legitimate but contain hidden payloads.

How PickleScan Works

PickleScan parses pickle bytecode as a static analysis tool, never executing the code. It works by:

1. Parsing opcodes — Pickle files are stack-based bytecode. We disassemble them into individual operations.
2. Extracting imports — We identify all GLOBAL, INST, and STACK_GLOBAL opcodes that import modules.
3. Matching against blacklists — Known dangerous imports (os.system, subprocess.Popen, eval, etc.) are flagged as CRITICAL.
4. Detecting execution chains — REDUCE and BUILD opcodes can execute imported functions, so we count and flag excessive usage.
5. Categorizing imports — Safe imports (torch, numpy) are whitelisted. Unknown imports are flagged as suspicious.

PyTorch Support (.pt, .pth files)

PyTorch checkpoint files (.pt, .pth, .bin) are ZIP archives containing pickle files. PickleScan automatically:

• Extracts the ZIP archive in-browser (using JSZip)
• Locates all .pkl files inside (typically archive/data.pkl)
• Scans each pickle file for malicious code

100% Client-Side

All scanning happens in your browser. No files are uploaded to any server. This ensures:

• Privacy — Your data never leaves your machine
• Speed — No network latency or upload time
• Security — No risk of server-side compromise

Limitations

PickleScan is a static analysis tool. It cannot:

• Detect runtime behavior or side effects
• Analyze encrypted or obfuscated payloads
• Guarantee 100% detection (new attack vectors may emerge)

Use PickleScan as a first-pass filter, not a guarantee. When in doubt, inspect the pickle opcodes manually or sandbox the file before loading.

Who Built This?

PickleScan is built by NullKit, a security research project focused on ML model safety. We believe tools like this should be free and accessible to everyone.

Questions? Contact us at [email protected]

Open Source

PickleScan is open source. The code is available on GitHub under the MIT license.