Compatibility Matrix (Formats vs Optional Dependencies)
June 18, 2026 ยท View on GitHub
This page shows which model formats work in base install and which require optional dependencies.
Installation profiles
- Broad portable coverage:
pip install "modelaudit[all]"(ONNX installs on Python 3.10-3.12; on Python 3.11-3.12, addtensorflowonly for TensorFlow-dependent checkpoint/weight analysis) - Minimal base install:
pip install modelaudit - Targeted extras: install only the extras you need (examples below)
Matrix
| Format family | Common extensions | Base install | Optional dependency / extra |
|---|---|---|---|
| Pickle family | .pkl, .pickle, .dill | Yes | modelaudit[dill] for broader dill compatibility |
| PyTorch archive/binary | .pt, .pth, .ckpt, .bin | Yes (static archive/pickle checks) | modelaudit[pytorch] optional for broader Torch ecosystem tooling |
| NumPy | .npy, .npz | Yes | None |
| R serialized | .rds, .rda, .rdata, signature-valid renamed workspace files | Yes (static analysis only) | None |
| TensorFlow SavedModel/MetaGraph | .pb, .meta, SavedModel directories | Yes (vendored protos) | modelaudit[tensorflow] on Python 3.11-3.12 for TensorFlow-dependent checkpoint/weight analysis |
| Keras H5 | .h5, .hdf5 | No | modelaudit[h5] (required) |
| ONNX | .onnx | No | modelaudit[onnx] on Python 3.10-3.12 (required) |
| CoreML | .mlmodel, validated or bounded-candidate renamed artifacts | Yes (static protobuf/metadata checks) | None |
| NeMo | .nemo, renamed archives with root config | Yes (static tar/config analysis, Hydra _target_ checks) | None |
| CNTK native | .dnn, .cmf, signature-valid renamed artifacts | Yes (static signature and string analysis) | None |
| RKNN models | .rknn, signature-valid artifacts under non-conflicting renamed suffixes | Yes (static bounded metadata checks) | None |
| Torch7 serialized | Serialized artifacts (.t7, .th, .net or renamed) | Yes (static string/structure checks) | None |
| CatBoost native | .cbm | Yes (static bounded metadata inspection) | None |
| LightGBM native | .lgb, .lightgbm, signature-valid .model or renamed artifacts | Yes (static native-text/binary checks) | None |
| Llamafile binaries | Executable wrappers (.llamafile, .exe, extensionless/renamed) | Yes (executable + embedded GGUF checks) | None required |
| TorchServe archives | .mar | Yes | None |
| SafeTensors | .safetensors | Yes | None required |
| GGUF/GGML | .gguf, .ggml, .ggmf, .ggjt, .ggla, .ggsa, signature-valid renamed artifacts | Yes | None required |
| Flax/JAX msgpack | .msgpack, .flax, .orbax, .jax | Yes | None (modelaudit[flax] is a compatibility alias) |
| JAX checkpoints | .ckpt, .checkpoint, .orbax-checkpoint | Yes | None |
| TFLite | .tflite, signature-valid artifacts under non-conflicting renamed suffixes | No | modelaudit[tflite] (required) |
| ExecuTorch | .ptl, .pte, signature-valid standalone artifacts under non-conflicting renamed suffixes | Yes (static binary/archive checks) | None |
| XGBoost | .bst, .model, .json, .ubj, extensionless UBJSON | Yes for static checks on common formats | modelaudit[xgboost] recommended for UBJ/full validation paths |
| TensorRT | .engine, .plan, .trt | Yes | None required |
| PaddlePaddle | .pdmodel, .pdiparams | Yes (static byte-pattern checks) | None required |
| MXNet | *-symbol.json, *-NNNN.params | Yes (static graph + params checks) | None required |
| Standalone compressed wrappers | .gz, .bz2, .xz, .lz4, .zlib | Yes (safe bounded decompression + inner scan routing) | lz4 package optional only for .lz4 payload decompression |
| 7-Zip archives | .7z | No | modelaudit[sevenzip] (required) |
| RAR archives | .rar | Yes (recognized and failed closed as unsupported) | None |
| Archives/config/text | .zip, .tar*, .json, .yaml, .yml, .toml, .md, .txt | Yes | None |
Renamed RKNN and standalone ExecuTorch routing does not override .pb or .meta; renamed TFLite routing also preserves other format-owned suffixes. Signature-valid .bin artifacts retain raw-binary checks and receive applicable format-specific analysis.
Notes
- Scanner selection is extension- and content-aware; overlapping extensions may be dispatched to different scanners based on file content.
- TensorFlow SavedModel/MetaGraph content routing recognizes renamed protobufs only after strict structural validation; oversized plausible candidates are retained for fail-closed bounded analysis.
- CoreML content routing tentatively analyzes bounded protobuf candidates so unknown valid fields cannot hide custom-code or metadata findings.
- SafeTensors content routing validates normal-size headers and retains oversized plausible framing for inconclusive bounded analysis under otherwise unclaimed suffixes.
- Runtime scanner selection is available with
modelaudit scan --scanners ...and--exclude-scanner ...; usemodelaudit scan --list-scannersto discover scanner IDs. - Compressed wrappers enforce limits via
compressed_max_decompressed_bytes,compressed_max_decompression_ratio,compressed_max_zero_padding_bytes, andcompressed_max_depth. - GGUF/GGML header signatures route renamed artifacts through the same static validation as declared extensions.
- Renamed NeMo archives require TAR structure plus a relative archive-root
model_config.yamlormodel_config.ymlmember before Hydra_target_analysis is selected; nested, absolute, or whitespace-padded same-name members remain on the generic TAR route. A proven non-HDF5 TAR whose bounded NeMo probe cannot decide is handed to bounded generic TAR analysis; coverage that generic TAR cannot complete still fails closed. NeMo analysis is composed with generic TAR safety and recursive member checks. - R serialized (
.rds/.rda/.rdata) support is static-only: ModelAudit does not execute R code or evaluate objects in an R runtime. - Renamed R workspace files require both a workspace header and serialization marker; short marker lookalikes are not promoted as renamed models.
- CNTK recognizes strict signature-valid content under misleading suffixes;
.modelremains excluded because it overlaps with XGBoost handling. - MXNet content routing recognizes structurally valid symbol JSON under renamed filenames, including
.paramsdisguises. Bounded ambiguity fails closed for oversized unresolved JSON, disguised non-JSON files, and JSON prefixes that expose a top-levelnodeskey, an MXNet-styleheadstriplet, or multiple graph-array markers; complete ordinary JSON without that evidence remains with its filename-owned analysis. Raw params blobs remain suffix-routed because they do not expose a reliable standalone signature. - Acquired Llamafile wrappers are executable by design; renamed wrappers are identified through bounded executable-content and runtime-marker probes. Executable presence is reported at
INFO; suspicious runtime indicators or malformed embedded payloads may escalate Llamafile-specific findings, while conflicting recognized suffixes may also trigger a format-mismatchWARNING. Selective remote folder acquisition remains filename-filtered. - RAR archives are recognized so they do not disappear from directory scans; ModelAudit reports them as unsupported coverage with a non-clean result.
- Flax/JAX content routing recognizes renamed MessagePack maps when bounded inspection identifies checkpoint-state roots such as
paramsoropt_state; structures whose bounded inspection cannot complete are reported as incomplete coverage instead of clean results, while generic maps rejected within the inspection budget are not promoted into the scan set. - Standalone Jinja2 templates exceeding the configured template-analysis size limit or failing UTF-8 text decoding are reported as incomplete coverage instead of clean results.
- JAX content routing recognizes renamed JSON metadata when top-level identity fields contain JAX-family signals; candidates too large for complete bounded classification are reported as incomplete coverage, while observable security patterns in the bounded inspected prefix may still be reported conservatively. Near matches and arbitrary JSON conclusively classified within the routing budget remain outside this route.
modelaudit doctor --show-failedshows unavailable scanners and missing dependencies in your environment.- If you need predictable CI behavior across many formats, prefer
modelaudit[all]; ONNX is included on Python 3.10-3.12, and TensorFlow runtime-dependent paths require addingmodelaudit[tensorflow]on Python 3.11-3.12.