# Safetensors Safetensors is the file format Hugging Face created for storing model weights (tensors) safely and fast. The name says it: tensors, stored safely. It exists to replace Python's `pickle`, the format most [[Large Language Models (LLMs)|LLM]] weights used to ship in. The problem with pickle is simple and nasty: loading a file can execute arbitrary code hidden inside it. Download a model from a stranger, load it, and you might be running their code without knowing. Safetensors removes that risk by storing only raw tensor data plus a small JSON header. There's nothing to execute. ## Why it matters - **Safe by design**: pure data, no code path, so loading an untrusted model can't run anything - **Fast**: zero-copy loading and partial reads, which helps when you split a big model across several GPUs - **The default for open weights**: most modern [[AI Open Weight Models|open-weight]] models ship as `.safetensors`, and it's the format tools convert *from* when producing [[GPT-Generated Unified Format (GGUF)|GGUF]] for local inference ## How it differs from GGUF Safetensors stores the weights (at whatever precision you trained in) plus minimal metadata. It's the training and distribution format of the PyTorch and Hugging Face world. [[GPT-Generated Unified Format (GGUF)|GGUF]] goes further for local inference: it bundles the chat template and rich metadata, and it's where the low-bit [[AI Quantization|quantized]] weights live. The usual path is safetensors ➤ GGUF. ## References - https://github.com/huggingface/safetensors - https://huggingface.co/docs/safetensors/index ## Related - [[GPT-Generated Unified Format (GGUF)]] - [[Georgi Gerganov Machine Learning (GGML)]] - [[ONNX]] - [[AI Open Weight Models]] - [[Large Language Models (LLMs)]] - [[AI Quantization]]