Instructions to use celvexgroup/modelscan-tf-printv2-op-bypass-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- TF-Keras
How to use celvexgroup/modelscan-tf-printv2-op-bypass-poc with TF-Keras:
# Note: 'keras<3.x' or 'tf_keras' must be installed (legacy) # See https://github.com/keras-team/tf-keras for more details. from huggingface_hub import from_pretrained_keras model = from_pretrained_keras("celvexgroup/modelscan-tf-printv2-op-bypass-poc") - Notebooks
- Google Colab
- Kaggle
Benign PoC β modelscan TF SavedModel op-denylist bypass (PrintV2)
Coordinated-disclosure proof-of-concept submitted to Protect AI via huntr (Model File Vulnerability).
saved_model.pb is a TensorFlow SavedModel graph containing a PrintV2 node with
output_stream="file://<path>" β an arbitrary-file-write operator that modelscan does not flag
(modelscan's unsafe_tf_operators denylist is only {ReadFile, WriteFile}).
Reproduce
pip install tensorflow modelscan
modelscan -p saved_model.pb # -> "No issues found" (the bypass)
A control SavedModel that uses the denylisted WriteFile op is flagged HIGH by modelscan, proving the
scanner works but misses PrintV2. Corroboration: TensorFlow's own saved_model_cli.py denylists
PrintV2 (_OP_DENYLIST = {'WriteFile','ReadFile','PrintV2'}) β modelscan is a strict subset.
Strictly benign: when executed, the graph only writes a harmless marker string (CELVEX-MFV-MARKER)
to a temp file. No weaponization. Confirmed against released modelscan 0.8.8.
- Downloads last month
- 15