Thanks Merve! (Btw, love your HF notebooks. 😀)

Pickle objects can be (almost) anything. Including arbitrary code. Now, imagine a bad actor claiming to be publishing a SOTA Random Forests model. However, embedded in their .pkl file is a statement like import shutils; shutils.rmtree(‘./’);.

Pickle will happily execute this code. There is nothing checking whether or not the pickle file is safe or not.

P.S. of course the syntax is not that simple, but I hope you get it (and I’m on mobile, yada yada…)