Model Safety MCP Server

Local setup required. This server has to be cloned and prepared on your machine before you register it in Claude Code.
1

Set the server up locally

Run this once to clone and prepare the server before adding it to Claude Code.

Run in terminal
git clone https://github.com/itsalissonsilva/ModelSafetyMCP
cd ModelSafetyMCP

Then follow the repository README for any remaining dependency or build steps before continuing.

2

Register it in Claude Code

After the local setup is done, run this command to point Claude Code at the built server.

Run in terminal
claude mcp add model-safety -- python "<FULL_PATH_TO_MODELSAFETYMCP>/dist/index.js"

Replace <FULL_PATH_TO_MODELSAFETYMCP>/dist/index.js with the actual folder you prepared in step 1.

README.md

Scan machine learning model artifacts for unsafe serialization and malware.

Model Safety MCP

Malicious or unsafe ML artifacts are a real supply-chain problem. There have already been real cases of malicious or suspicious models being discovered in the wild, including models hosted on public platforms and larger batches of unsafe AI/ML artifacts. See RL identifies malware ML model hosted on Hugging Face and Over 100 Malicious AI/ML Models Found on Hugging Face.

One of the biggest reasons this matters is deserialization risk. Many model formats, especially pickle-based and framework-specific formats, can execute code or invoke unsafe logic while being loaded or reconstructed. That means a model file can become an execution vector, not just a passive blob of weights.

model-safety is an MCP server for inspecting machine learning model artifacts before you load, ship, or trust them.

It is designed for practical triage:

  • scan a local model file
  • scan a downloadable model URL
  • triage a whole directory of artifacts
  • combine heuristic checks with dedicated scanners
  • return normalized findings and concrete next actions

What It Can Do

The server currently exposes these tools:

  • available_scanners Shows which scanner backends are installed and ready.
  • artifact_safety_report Runs the broadest scan available on one model artifact and returns per-scanner results, normalized findings, highest severity, and recommended actions.
  • modelscan_scan Runs ModelScan directly against a local file or URL.
  • picklescan_scan Runs PickleScan directly against a local file or URL.
  • deep_model_inspect Runs lightweight structural checks for risky extensions, embedded pickle members, and suspicious packaging patterns.
  • scan_directory Runs artifact_safety_report across every file in a directory and aggregates the risky files.

Quick Start

  1. Add the MCP server to Cursor or Claude Code using the local Python runtime in this repo.
  2. Start with artifact_safety_report on a local file or direct URL.
  3. Review normalized_findings, highest_severity, and recommended_actions.
  4. Use scan_directory when you need to triage a whole model drop.

Minimal Cursor config:

{
  "mcpServers": {
    "model-safety": {
      "type": "stdio",
      "command": "C:/Users/Lenovo/Documents/ModelSafetyMCP/python312/python.exe",
      "args": ["C:/Users/Lenovo/Documents/ModelSafetyMCP/run_server.py"]
    }
  }
}

Current Detection Strengths

This MCP is strongest when scanning:

  • PyTorch checkpoints such as .pt and .pth
  • pickle-like artifacts such as .pkl, .pickle, and .joblib
  • Keras and TensorFlow HDF5 models such as .h5
  • model bundles that are actually ZIP or TAR containers

It currently combines:

  • modelscan Best general-purpose backend, especially for model-specific unsafe patterns like Keras Lambda.
  • picklescan Best supporting backend for pickle-oriented artifacts.
  • deep_model_inspect Fast heuristic fallback that catches risky packaging even when specialized scanners are quiet.

Supported Inputs

You can scan either:

  • a local filesystem path
  • a direct http or https artifact URL

For Hugging Face specifically, use the direct file URL:

  • Good: https://huggingface.co/<repo>/resolve/main/model.h5
  • Not ideal: https://huggingface.co/<repo>/blob/main/model.h5

blob URLs usually return an HTML page, while resolve URLs return the real artifact bytes.

Runtime

This repo includes a local Python 3.12 runtime in `python312`. That is the supported runtime because it works with:

  • mcp
  • modelscan
  • picklescan
  • h5py

If you ever need to rebuild that runtime manually:

python312\python.exe -m pip install mcp picklescan modelscan h5py

Start The Server

Run the MCP server with:

python312\python.exe run_server.py

The launcher is repo-local and uses the runtime already bundled in this project.

Cursor Setup

Add the server in Cursor MCP settings with:

  • Name: model-safety
  • Type: stdio
  • Command: C:/Users/Lenovo/Documents/ModelSafetyMCP/python312/python.exe
  • Args: C:/Users/Lenovo/Documents/ModelSafetyMCP/run_server.py

Equivalent JSON:

{
  "mcpServers": {
    "model-safety": {
      "type": "stdio",
      "command": "C:/Users/Lenovo/Documents/ModelSafetyMCP/python312/python.exe",
      "args": ["C:/Users/Lenovo/Documents/ModelSafetyMCP/run_server.py"]
    }
  }
}

A copy-paste example also lives in `cursor.mcp.example.json`.

Claude Code Setup

Add the server with:

claude mcp add model-safety -- C:/Users/Lenovo/Documents/ModelSafetyMCP/python312/python.exe C:/Users/Lenovo/Documents/ModelSafetyMCP/run_server.py

Workflow

1. Confirm the server is con

Tools (6)

available_scannersShows which scanner backends are installed and ready.
artifact_safety_reportRuns the broadest scan available on one model artifact and returns results.
modelscan_scanRuns ModelScan directly against a local file or URL.
picklescan_scanRuns PickleScan directly against a local file or URL.
deep_model_inspectRuns lightweight structural checks for risky extensions and embedded pickle members.
scan_directoryRuns artifact_safety_report across every file in a directory and aggregates risky files.

Configuration

claude_desktop_config.json
{"mcpServers": {"model-safety": {"type": "stdio", "command": "python", "args": ["run_server.py"]}}}

Try it

Scan this local model file at /path/to/model.pt and tell me if it contains any malicious patterns.
Check this Hugging Face model URL for safety: https://huggingface.co/user/repo/resolve/main/model.h5
Run a full safety triage on the entire directory of downloaded models located at ./models_folder.
Which scanner backends are currently available for me to use?

Frequently Asked Questions

What are the key features of Model Safety MCP?

Scans local model files and remote artifact URLs for malicious patterns.. Performs directory-level triage to identify risky model artifacts in bulk.. Integrates multiple backends including ModelScan, PickleScan, and deep structural inspection.. Provides normalized findings, severity levels, and recommended actions for remediation..

What can I use Model Safety MCP for?

Vetting third-party machine learning models before integrating them into a production pipeline.. Auditing a collection of downloaded model files for potential deserialization vulnerabilities.. Ensuring compliance with supply-chain security policies when using public model repositories.. Quickly identifying risky packaging or embedded malicious code in pickle-based model formats..

How do I install Model Safety MCP?

Install Model Safety MCP by running: python312\python.exe run_server.py

What MCP clients work with Model Safety MCP?

Model Safety MCP works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Model Safety MCP docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all ai-tools servers →

Related MCP Servers

Skill Seekers
The data layer for AI systems.
ai-tools11.1K stars
Context Mode
The other half of the context problem.
ai-tools5.6K stars
Semiotic
A React data visualization library designed for AI-assisted development.
ai-tools2.6K stars
RocketRide
Self-hosted, open-source AI pipeline platform for MCP tools
ai-tools1.6K stars
Context+
Semantic Intelligence for Large-Scale Engineering.
ai-tools1.5K stars
ShipSwift
AI-native SwiftUI component library — production-ready code for LLMs
ai-tools1.3K stars