Model-sharing platforms, such as Hugging Face, ModelScope, and OpenCSG, have become central to modern machine learning development, enabling developers to share, load, and fine-tune pre-trained models with minimal effort. However, the flexibility of these ecosystems introduces a critical security concern: the execution of untrusted code during model loading (i.e., via trust_remote_code or trust_repo). In this work, we conduct the first large-scale empirical study of custom model loading practices across five major model-sharing platforms to assess their prevalence, associated risks, and developer perceptions. We first quantify the frequency with which models require custom code to function and identify those that execute arbitrary Python files during loading. We then apply three complementary static analysis tools: Bandit, CodeQL, and Semgrep, to detect security smells and potential vulnerabilities, categorizing our findings by CWE identifiers to provide a standardized risk taxonomy. We also use YARA to identify malicious patterns and payload signatures. In parallel, we systematically analyze the documentation, API design, and safety mechanisms of each platform to understand their mitigation strategies and enforcement levels. Finally, we conduct a qualitative analysis of over 600 developer discussions from GitHub, Hugging Face, and PyTorch Hub forums, as well as Stack Overflow, to capture community concerns and misconceptions regarding security and usability. Our findings reveal widespread reliance on unsafe defaults, uneven security enforcement across platforms, and persistent confusion among developers about the implications of executing remote code. We conclude with actionable recommendations for designing safer model-sharing infrastructures and striking a balance between usability and security in future AI ecosystems.

翻译：以Hugging Face、ModelScope和OpenCSG为代表的模型共享平台已成为现代机器学习开发的核心基础设施，使开发者能够以最小代价共享、加载和微调预训练模型。然而，这些生态系统的灵活性引发了关键的安全隐患：在模型加载过程中执行不可信代码（例如通过trust_remote_code或trust_repo参数）。本研究首次对五大主流模型共享平台的自定义模型加载实践开展大规模实证分析，评估其普及程度、相关风险及开发者认知。我们首先量化了依赖自定义代码运行的模型比例，并识别出在加载过程中执行任意Python文件的模型实例。随后采用Bandit、CodeQL和Semgrep三种互补的静态分析工具检测安全异味和潜在漏洞，依据CWE标识符对发现的问题进行分类以建立标准化风险分类体系，同时利用YARA规则识别恶意模式与载荷特征。通过系统分析各平台的文档规范、API设计及安全机制，我们深入解析了不同平台的缓解策略与执行力度。此外，我们从GitHub、Hugging Face、PyTorch Hub论坛及Stack Overflow平台收集600余条开发者讨论进行质性分析，以捕捉社区对安全性与可用性的关切与认知误区。研究结果表明：不安全默认配置被广泛采用，各平台安全执行力度存在显著差异，开发者对远程代码执行的安全影响普遍存在认知混淆。最后，我们为构建更安全的模型共享基础设施提出可操作性建议，为未来人工智能生态系统在可用性与安全性之间的平衡提供设计参考。