How to ensure safe usage?

Hi, not an expert but would like to share my suggestion for reference.

Since your goal is to prevent accidental execution rather than stopping determined malicious users, you can handle this locally without needing complex sandboxes.

1. Network-level filter viaHF_ENDPOINT: The huggingface_hub library respects the HF_ENDPOINT environment variable. You can set this globally for all SSH users (e.g., in /etc/profile.d/hf.sh) to point to a lightweight proxy (like a simple Nginx config) running locally on the server. Have the proxy forward all requests to https://huggingface.co, but return a 403 for file extensions associated with pickled code (.bin, .pt, .pth, .pkl). This automatically restricts users to downloading .safetensors and config files.

2. Python-level guardrail viasitecustomize.py: If you want to catch the execution itself, you can add a sitecustomize.py file to your server’s global Python environment. Because this script executes automatically on Python startup, you can use it to monkey-patch torch.load to raise a custom warning or error. This effectively acts as a tripwire, reminding users to pass use_safetensors=True when loading models via transformers.

Relying on safetensors is exactly the right instinct, you just need to enforce it at the proxy or interpreter level.

VERIFY BEFORE POSTING:

• Verify that all download traffic from huggingface_hub strictly routes through HF_ENDPOINT in the version your users are running (it generally does, but it is worth testing in your specific environment).

• If you go the sitecustomize.py route, ensure monkey-patching torch.load won’t break users’ legitimate local training workflows (e.g., saving and loading their own optimizer states or mid-training checkpoints, which often default to pickle).