AFAIK models used to be just plain code, when you load one, for example, it would do so by calling a method pickled inside the model file. Uploader could set up this method to do practically anything they want, and it doesn’t need to be obviously malicious since code runs just like a normal python script. For example, it could simply load/render a webp image that is designed to use the recent libwebp vulnerability.

They changed this a while back, so now you need to pass an argument when loading the model to allow this behavior, and this model requires it.

Models requiring remote code without any explanation are shady imo