Calling them broken files might not be correct. However, I can see where if you are not diligent about watching commits to those git repos, you end up with a Trojan Horse that introduces a vulnerability after you've vetted the model.

Well, sure, but how does this tool help in any way with that? Since if you're using Git LFS, the tool just says it's broken, rather than actually pulling down the blobs and checking those. It wouldn't prevent "malicious weights".

Besides, pickle is the data format that introduces the possibility for vulnerabilities, if the model weights are in .safetensor you're safe regardless.