Compatibility Matrix (Formats vs Optional Dependencies)

June 18, 2026 ยท View on GitHub

This page shows which model formats work in base install and which require optional dependencies.

Installation profiles

  • Broad portable coverage: pip install "modelaudit[all]" (ONNX installs on Python 3.10-3.12; on Python 3.11-3.12, add tensorflow only for TensorFlow-dependent checkpoint/weight analysis)
  • Minimal base install: pip install modelaudit
  • Targeted extras: install only the extras you need (examples below)

Matrix

Format familyCommon extensionsBase installOptional dependency / extra
Pickle family.pkl, .pickle, .dillYesmodelaudit[dill] for broader dill compatibility
PyTorch archive/binary.pt, .pth, .ckpt, .binYes (static archive/pickle checks)modelaudit[pytorch] optional for broader Torch ecosystem tooling
NumPy.npy, .npzYesNone
R serialized.rds, .rda, .rdata, signature-valid renamed workspace filesYes (static analysis only)None
TensorFlow SavedModel/MetaGraph.pb, .meta, SavedModel directoriesYes (vendored protos)modelaudit[tensorflow] on Python 3.11-3.12 for TensorFlow-dependent checkpoint/weight analysis
Keras H5.h5, .hdf5Nomodelaudit[h5] (required)
ONNX.onnxNomodelaudit[onnx] on Python 3.10-3.12 (required)
CoreML.mlmodel, validated or bounded-candidate renamed artifactsYes (static protobuf/metadata checks)None
NeMo.nemo, renamed archives with root configYes (static tar/config analysis, Hydra _target_ checks)None
CNTK native.dnn, .cmf, signature-valid renamed artifactsYes (static signature and string analysis)None
RKNN models.rknn, signature-valid artifacts under non-conflicting renamed suffixesYes (static bounded metadata checks)None
Torch7 serializedSerialized artifacts (.t7, .th, .net or renamed)Yes (static string/structure checks)None
CatBoost native.cbmYes (static bounded metadata inspection)None
LightGBM native.lgb, .lightgbm, signature-valid .model or renamed artifactsYes (static native-text/binary checks)None
Llamafile binariesExecutable wrappers (.llamafile, .exe, extensionless/renamed)Yes (executable + embedded GGUF checks)None required
TorchServe archives.marYesNone
SafeTensors.safetensorsYesNone required
GGUF/GGML.gguf, .ggml, .ggmf, .ggjt, .ggla, .ggsa, signature-valid renamed artifactsYesNone required
Flax/JAX msgpack.msgpack, .flax, .orbax, .jaxYesNone (modelaudit[flax] is a compatibility alias)
JAX checkpoints.ckpt, .checkpoint, .orbax-checkpointYesNone
TFLite.tflite, signature-valid artifacts under non-conflicting renamed suffixesNomodelaudit[tflite] (required)
ExecuTorch.ptl, .pte, signature-valid standalone artifacts under non-conflicting renamed suffixesYes (static binary/archive checks)None
XGBoost.bst, .model, .json, .ubj, extensionless UBJSONYes for static checks on common formatsmodelaudit[xgboost] recommended for UBJ/full validation paths
TensorRT.engine, .plan, .trtYesNone required
PaddlePaddle.pdmodel, .pdiparamsYes (static byte-pattern checks)None required
MXNet*-symbol.json, *-NNNN.paramsYes (static graph + params checks)None required
Standalone compressed wrappers.gz, .bz2, .xz, .lz4, .zlibYes (safe bounded decompression + inner scan routing)lz4 package optional only for .lz4 payload decompression
7-Zip archives.7zNomodelaudit[sevenzip] (required)
RAR archives.rarYes (recognized and failed closed as unsupported)None
Archives/config/text.zip, .tar*, .json, .yaml, .yml, .toml, .md, .txtYesNone

Renamed RKNN and standalone ExecuTorch routing does not override .pb or .meta; renamed TFLite routing also preserves other format-owned suffixes. Signature-valid .bin artifacts retain raw-binary checks and receive applicable format-specific analysis.

Notes

  • Scanner selection is extension- and content-aware; overlapping extensions may be dispatched to different scanners based on file content.
  • TensorFlow SavedModel/MetaGraph content routing recognizes renamed protobufs only after strict structural validation; oversized plausible candidates are retained for fail-closed bounded analysis.
  • CoreML content routing tentatively analyzes bounded protobuf candidates so unknown valid fields cannot hide custom-code or metadata findings.
  • SafeTensors content routing validates normal-size headers and retains oversized plausible framing for inconclusive bounded analysis under otherwise unclaimed suffixes.
  • Runtime scanner selection is available with modelaudit scan --scanners ... and --exclude-scanner ...; use modelaudit scan --list-scanners to discover scanner IDs.
  • Compressed wrappers enforce limits via compressed_max_decompressed_bytes, compressed_max_decompression_ratio, compressed_max_zero_padding_bytes, and compressed_max_depth.
  • GGUF/GGML header signatures route renamed artifacts through the same static validation as declared extensions.
  • Renamed NeMo archives require TAR structure plus a relative archive-root model_config.yaml or model_config.yml member before Hydra _target_ analysis is selected; nested, absolute, or whitespace-padded same-name members remain on the generic TAR route. A proven non-HDF5 TAR whose bounded NeMo probe cannot decide is handed to bounded generic TAR analysis; coverage that generic TAR cannot complete still fails closed. NeMo analysis is composed with generic TAR safety and recursive member checks.
  • R serialized (.rds/.rda/.rdata) support is static-only: ModelAudit does not execute R code or evaluate objects in an R runtime.
  • Renamed R workspace files require both a workspace header and serialization marker; short marker lookalikes are not promoted as renamed models.
  • CNTK recognizes strict signature-valid content under misleading suffixes; .model remains excluded because it overlaps with XGBoost handling.
  • MXNet content routing recognizes structurally valid symbol JSON under renamed filenames, including .params disguises. Bounded ambiguity fails closed for oversized unresolved JSON, disguised non-JSON files, and JSON prefixes that expose a top-level nodes key, an MXNet-style heads triplet, or multiple graph-array markers; complete ordinary JSON without that evidence remains with its filename-owned analysis. Raw params blobs remain suffix-routed because they do not expose a reliable standalone signature.
  • Acquired Llamafile wrappers are executable by design; renamed wrappers are identified through bounded executable-content and runtime-marker probes. Executable presence is reported at INFO; suspicious runtime indicators or malformed embedded payloads may escalate Llamafile-specific findings, while conflicting recognized suffixes may also trigger a format-mismatch WARNING. Selective remote folder acquisition remains filename-filtered.
  • RAR archives are recognized so they do not disappear from directory scans; ModelAudit reports them as unsupported coverage with a non-clean result.
  • Flax/JAX content routing recognizes renamed MessagePack maps when bounded inspection identifies checkpoint-state roots such as params or opt_state; structures whose bounded inspection cannot complete are reported as incomplete coverage instead of clean results, while generic maps rejected within the inspection budget are not promoted into the scan set.
  • Standalone Jinja2 templates exceeding the configured template-analysis size limit or failing UTF-8 text decoding are reported as incomplete coverage instead of clean results.
  • JAX content routing recognizes renamed JSON metadata when top-level identity fields contain JAX-family signals; candidates too large for complete bounded classification are reported as incomplete coverage, while observable security patterns in the bounded inspected prefix may still be reported conservatively. Near matches and arbitrary JSON conclusively classified within the routing budget remain outside this route.
  • modelaudit doctor --show-failed shows unavailable scanners and missing dependencies in your environment.
  • If you need predictable CI behavior across many formats, prefer modelaudit[all]; ONNX is included on Python 3.10-3.12, and TensorFlow runtime-dependent paths require adding modelaudit[tensorflow] on Python 3.11-3.12.