Model supply-chain scanning

A model you did not train is third-party code, and you are about to give it your data and your runtime. The risk is not abstract: a pickle-format weight file runs arbitrary Python the moment it loads, so a tampered checkpoint executes on the host that opens it - before a single inference. The license might be missing, restrictive, or quietly contradict what the README claims. The repository might enable custom code execution, lack any safety or bias evaluation, or be a three-day-old upload with no track record.

None of this shows up in a demo. It shows up in an audit, or in an incident, after the model is already in your pipeline. Reviewing it by hand for every model an ML team wants to try does not scale, so in practice nobody does it.

Point the analyzer at a public model registry URL or repository id and it scores the model against more than fifty supply-chain checks before the model reaches production. It reads only public metadata - it never downloads or executes the model weights - so the analysis itself adds no risk.

It flags pickle-format weight files that execute code on load and downgrades the finding when a byte-safe alternative such as safetensors or GGUF ships alongside; missing or restrictive licenses and license drift between the metadata and the README; custom-code execution paths (trust_remote_code); unsafe chat-template tokens; missing safety and bias evaluation; low-adoption or freshly-uploaded repositories and deprecation status; and EU AI Act Annex IV disclosure gaps (compute, carbon, training languages). Where the registry publishes its own weight-scanner verdict, the analyzer surfaces it alongside its own. Every finding lands in the same evidence trail as the rest of your AI surface.

Model card findings map to OWASP LLM03 (supply chain) and LLM05, NIST AI 600-1 MAP and MEASURE actions, MITRE ATLAS supply-chain techniques, and EU AI Act Article 11 / Annex IV technical-documentation expectations.