Model "baseten/sdxl-controlnet-inpaint-trt-A10G" in this repository requires validation #465
Description
Hi, @michaelfeil,@squidarth I'd like to report that a potentially risky pretrained models are being used in this project, which may pose backdoor threats.Please check the following code example:
• stable-diffusion/stable-diffusion-inpainting-trt/model/model.py
def load(self):
snapshot_download(
"baseten/sdxl-controlnet-inpaint-trt-A10G",
local_dir=self._data_dir,
max_workers=4,
) self.model.loadEngines(
os.path.join(self._data_dir, "engine-1.5"),
os.path.join(self._data_dir, "onnx-1.5"),
None,
opt_batch_size=None,
opt_image_height=None,
opt_image_width=None,
)
self.model.loadResources(512, 512, 1, None) images = self.model.infer(
prompt,
negative_prompt,
image,
mask,
image_height,
image_width,
seed=None,
strength=0.75,
)
Issue Description
As shown above, in the stable-diffusion/stable-diffusion-inpainting-trt/model/model.py, the model "baseten/sdxl-controlnet-inpaint-trt-A10G" is used as the default model parameter in the snapshot_download method and download all onnx files. Finally the clip_inpaint.onnx file runs via self.model.infer.
At the same time, the model is flagged as risky on the HuggingFace platform. The clip_inpaint.onnx files in these models are marked as risky and may trigger backdoor threats. For certain specific inputs, the backdoor in the models could be activated, effectively altering the model's behavior.
Related Risk Reports::model risk report
Suggested Repair Methods
- Convert the model to safer safetensors format and re-upload
- Try to regenerate the model using the latest onnx library
- Visually inspect the model using OSS tools like Netron. If no issues are found, report the false threat to the scanning platform
As one of the most popular machine learning libraries(star:189), every potential risk could be propagated and amplified. Could you please address the above issues?
Thanks for your help~
Best regards,
Mendy