I thought Marshal and non-safe yaml are fundamentally unsafe. You’re allowing input to instantiate arbitrary objects. It’s relatively easy to find an exploitable class.

Python’s pickle function is equivalent and has a warning about this.