Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Heuristic:Protectai Modelscan Unknown Opcodes Assume Critical

From Leeroopedia
Knowledge Sources
Domains Security, Optimization
Last Updated 2026-02-14 12:00 GMT

Overview

Unrecognized pickle opcodes in STACK_GLOBAL operations are classified as CRITICAL severity, assuming potential Remote Code Execution (RCE).

Description

When the pickle bytecode scanner encounters a `STACK_GLOBAL` opcode whose preceding values are not standard string types (SHORT_BINUNICODE, UNICODE, BINUNICODE, BINUNICODE8), it categorizes the import as "unknown". Any import marked "unknown" — in either the module or name position — is automatically escalated to CRITICAL severity. This follows a security-first principle: if the scanner cannot determine what is being imported, it assumes the worst case (arbitrary code execution).

Usage

Be aware that CRITICAL severity findings with "unknown" module/operator names are not necessarily confirmed threats. They indicate the scanner could not parse the import target, which may be due to obfuscation (suspicious) or unusual but benign pickle bytecode. Manual review of these findings is recommended.

The Insight (Rule of Thumb)

  • Action: Treat all "unknown" pickle imports as CRITICAL until manually verified.
  • Value: "unknown" module or operator name = CRITICAL severity (assumed RCE).
  • Trade-off: May produce false positives for unusual but benign pickle bytecode. Security over convenience — better to flag and manually review than to miss an actual attack.

Reasoning

Non-string opcode detection from `tools/picklescanner.py:103-106`: 

logger.debug(
    "Presence of non-string opcode, categorizing as an unknown dangerous import"
)
values.append("unknown")

Critical severity assignment from `tools/picklescanner.py:184-185`: 

if "unknown" in global_module or "unknown" in global_name:
    severity = IssueSeverity.CRITICAL  # we must assume it is RCE

This is related to the STACK_GLOBAL validation at `tools/picklescanner.py:111-114`: 

if len(values) != 2:
    raise ValueError(
        f"Found {len(values)} values for STACK_GLOBAL at position {n} instead of 2."
    )

The STACK_GLOBAL opcode requires exactly 2 values (module name and function name). When these values cannot be resolved to strings, the "unknown" marker triggers the CRITICAL classification. This is a deliberate security decision — pickle-based attacks can use obfuscated bytecode to hide malicious imports.

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Heuristic:Protectai_Modelscan_Unknown_Opcodes_Assume_Critical&oldid=397"