Secure persistence with skops


This feature is heavily under development, which means the API is unstable and there might be security issues at the moment. Therefore, use caution when loading files from sources you don’t trust.

Skops offers a way to save and load sklearn models without using pickle. The pickle module is not secure, but with skops, you can [more] securely save and load models without using pickle.

Pickle is the standard serialization format for sklearn and for Python in general (cloudpickle and joblib use the same format). One of the main advantages of pickle is that it can be used for almost all Python objects but this flexibility also makes it inherently insecure. This is because loading certain types of objects requires the ability to run arbitrary code, which can be misused for malicious purposes. For example, an attacker can use it to steal secrets from your machine or install a virus. As the Python docs say:


The pickle module is not secure. Only unpickle data you trust. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never unpickle data that could have come from an untrusted source, or that could have been tampered with.

In contrast to pickle, the and functions have a more limited scope, while preventing users from running arbitrary code or loading unknown and malicious objects.

When loading a file, will traverse the input, check for known and unknown types, and will only construct those objects if they are trusted, either by default or by the user.


You can try out converting your existing pickle files to the skops format using this Space on Hugging Face Hub: pickle-to-skops.


The code snippet below illustrates how to use and Note that one needs XGBoost installed to run this:

from xgboost.sklearn import XGBClassifier
from sklearn.model_selection import GridSearchCV, train_test_split
from sklearn.datasets import load_iris
from import dump, load

X, y = load_iris(return_X_y=True)
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.4)
param_grid = {"tree_method": ["exact", "approx", "hist"]}
clf = GridSearchCV(XGBClassifier(), param_grid=param_grid).fit(X_train, y_train)
print(clf.score(X_test, y_test))
dump(clf, "my-model.skops")
# ...
loaded = load("my-model.skops", trusted=True)
print(loaded.score(X_test, y_test))

# in memory
from import dumps, loads
serialized = dumps(clf)
loaded = loads(serialized, trusted=True)

Note that you should only load files with trusted=True if you trust the source. Otherwise you can get a list of untrusted types present in the dump using

from import get_untrusted_types
unknown_types = get_untrusted_types(file="my-model.skops")
'xgboost.core.Booster', 'xgboost.sklearn.XGBClassifier']

Note that everything in the above list is safe to load. We already have many types included as trusted by default, and some of the above values might be added to that list in the future.

Once you check the list and you validate that everything in the list is safe, you can load the file with trusted=unknown_types:

loaded = load("my-model.skops", trusted=unknown_types)

At the moment, we support the vast majority of sklearn estimators. This includes complex use cases such as sklearn.pipeline.Pipeline, sklearn.model_selection.GridSearchCV, classes using objects defined in Cython such as sklearn.tree.DecisionTreeClassifier, and more. If you discover an sklearn estimator that does not work, please open an issue on the skops GitHub page and let us know.

At the moment, skops cannot persist arbitrary Python code. This means if you have custom functions (say, a custom function to be used with sklearn.preprocessing.FunctionTransformer), it will not work. However, most numpy and scipy functions should work. Therefore, you can save objects having references to functions or universal functions (ufuncs) such as numpy.sqrt.


If file size is an issue, you can compress the file by setting the compression and compresslevel arguments to and For example, to compress the file using zlib with level 9:

from zipfile import ZIP_DEFLATED
dump(clf, "my-model.skops", compression=ZIP_DEFLATED, compresslevel=9)

Check the documentation of these two arguments under zipfile.ZipFile for more details.

Command Line Interface

Skops has a command line interface to:

  • convert scikit-learn models persisted with Pickle to Skops files.

  • update Skops files to the latest version.

skops convert

To convert a file from the command line, use the skops convert entrypoint.

Below is an example call to convert a file my_model.pkl to my_model.skops:

skops convert my_model.pkl

To convert multiple files, you can use bash commands to iterate the above call. For example, to convert all .pkl flies in the current directory:

for FILE in *.pkl; do skops convert FILE; done

Further help for the different supported options can be found by calling skops convert --help in a terminal.

skops update

To update a Skops file from the command line, use the skops update command. Skops will check the protocol version of the file to determine if it needs to be updated to the current version.

The below command is an example on how to create an updated version of a file my_model.skops and save it as my_model-updated.skops:

skops update my_model.skops -o my_model-updated.skops

Further help for the different supported options can be found by calling skops update --help in a terminal.


Skops files can be visualized using If you have a skops file called my-model.skops, you can visualize it like this:

import as sio

The output could look like this:

root: sklearn.preprocessing._data.MinMaxScaler
└── attrs: builtins.dict
    ├── feature_range: builtins.tuple
    │   ├── content: json-type(-555)
    │   └── content: json-type(123)
    ├── copy: unsafe_lib.UnsafeType [UNSAFE]
    ├── clip: json-type(false)
    └── _sklearn_version: json-type("1.2.0")

unsafe_lib.UnsafeType was recognized as untrusted and marked.

It’s also possible to visualize the object dumped as bytes:

import as sio my_model = … sio.visualize(sio.dumps(my_model))

There are various options to customize the output. By default, the security of nodes is color coded if rich is installed, otherwise they all have the same color. To install rich, run:

python -m pip install rich

or, when installing skops, install it like this:

python -m pip install skops[rich]

To disable colors, even if rich is installed, pass use_colors=False to

It’s also possible to change what colors are being used, e.g. by passing visualize(..., color_safe="cyan") to change the color for trusted nodes from green to cyan. The rich docs list the supported standard colors.

Note that the visualization feature is intended to help understand the structure of the object, e.g. what attributes are identified as untrusted. It is not a replacement for a proper security check. In particular, just because an object’s visualization looks innocent does not mean you can just call sio.load(<file>, trusted=True) on this object – only pass the types you really trust to the trusted argument.

Supported libraries

Skops intends to support all of scikit-learn, that is, not only its estimators, but also other classes like cross validation splitters. Furthermore, most types from numpy and scipy should be supported, such as (sparse) arrays, dtypes, random generators, and ufuncs.

Apart from this core, we plan to support machine learning libraries commonly used be the community. So far, we have tested the following libraries:

If you run into a problem using any of the mentioned libraries, this could mean there is a bug in skops. Please open an issue on our issue tracker (but please check first if a corresponding issue already exists).

In terms of security, we do not audit these libraries for security issues. Therefore, you should only load a skops file containing a model of any of those libraries if you trust them to be secure. It’s not a perfect solution, but it’s still better than trusting pickle files, which anyone can tamper with easily.

Backwards compatibility

The skops persistence format is in flux, as we steadily work on improving it, making it more secure and supporting more types. When we make a change that is incompatible with existing skops files, the protocol will be bumped to the next higher number (the protocol can be checked in the schema of the skops file). At the same time, we will ensure that existing skops files with lower protocol versions still load as always, even if they contained a bug (in which case we will warn about it). Therefore, it is generally safe to assume that your skops files will keep on working with future versions of skops.

You may want to periodically load and dump old skops files using newer versions of skops to benefit from the updates to the protocol.

One caveat to the backwards compatibility promise is that the skops files have to be created based on a release version of skops. If you create skops files using a skops version installed from, say, the main git branch, it is possible to end up in an inconsistent state. Therefore, don’t use any non-release version of skops for creating skops files intended to be loaded with future skops versions.

Using skops to load a model saved in one sklearn version and loading it with another sklearn version is not recommended, because the behavior of the model may change across versions. In some cases loading the model in a different version might not be possible due to internal changes in scikit-learn. Such changes don’t happen very often, but they can happen, thus you should be cautious. To replicate a model trained with one sklearn version using a different sklearn version, it is advised to retrain the model on the same data using the same training process.

The potential compatibility issue between sklearn versions is not skops specific. It is general sklearn behavior which skops cannot avoid. According to the sklearn docs on model persistence:

While models saved using one version of scikit-learn might load in other versions, this is entirely unsupported and inadvisable. It should also be kept in mind that operations performed on such data could give different and unexpected results.


There needs to be more testing to harden the loader and make sure we don’t run arbitrary code when it’s not intended. However, the safety mechanisms already in place should prevent most cases of abuse.

At the moment, persisting and loading arbitrary C extension types is not possible, unless a python object wraps around them and handles persistence and loading via __getstate__ and __setstate__. We plan to develop an API which would help third party libraries to make their C extension types skops compatible.

You can check on our “issue tracker which features are planned for the near future.