How safe is it to download a model from civitai even if it says "file verified" "this file appears to be safe"?

[beybladerletitrip]

Hello, what else can I do to be safe, I am not a coder so I am very new to this world and didn't want to just randomly download models without knowing what I am doing. Is it simply enough for those qualifiers in my title to be said for ckpt files or is there anything else I can do to make sure the files are safe from civitai and even after I downloaded them like a scan? And secondly are safetensors perfectly safe or do they pose risks themselves and if they do how do you mitigate for such risks?.

[JustMaier]

You can read a bit about our scanning process in the wiki here. In short, we scan everything with Clam Anti-virus and picklescan to understand what pickle imports are being done inside of ckpt files so that we might identify dangerous pickle imports.

If you're nervous about files downloaded from the site, you certainly can scan them again yourself.
As for safetensors, they can't contain dangerous imports (that's the purpose of the new standard), so the only check they need to pass is a virus scan. So since we scan everything for viruses, you should be good to go.

Hope that helps 👍

[beybladerletitrip]

thank you for your reply! One thing that confused me was that hugging face also uses some type of pickle scanner and a ckpt over there would be in orange but over here it would be green and verified for the same ckpt. Is hugging face just using a different scanner how do I know which is safe to use is there like a specific pickle code I should be on watch for and what explains for that difference? And would scanning and converting pickles into safe tensor in a virtual machine be a good idea? If so could you recommend me a good scanner and converter?

[JustMaier]

Do you have an example of that that you can share? It'd be good to see why and how our results might differ.

As far as converting safely, I believe you're correct, you'd want to do it inside of a VM. I don't have a specific script or tool to use, because I haven't actually done it myself, sorry.

That said, we've recently added the ability to convert from ckpt to safetensor to our model scanner so we just need to add the ability to request models in a different format. I'll be sure to let you know when that's live.

[beybladerletitrip]

An example of this I can give is hasanblend 1.4 ckpt on hugging face compared to on civitai, there were other examples when I remember or when I find more I can link more. Along with this I have noticed some of these models come with vaes it would say this checkpoint comes with a vae like on anythingv3 but the problem with that is people download it without realizing the vae is actually red along with this I noticed links in descriptions that would have pt files things or like vaes that dont open a site but opens the save page which I think are not virus scanned. Is there a way to be safe with pt files,vaes and loras such as turning them into safe tensor or is that not possible do these file types have a different way to be safe with them?

Can you also recommend me a standalone pickle scanner that is trusted to use?