Home › About › Security Disclosures
Security and supply-chain notes for using Z.ai
Practical notes on weight integrity, license review, prompt-injection risks, and sandbox patterns — for teams moving GLM models and the BigModel API toward production use.
5
Risk categories
SHA-256
Integrity check
Per-env
Key rotation
0 PII
In prompts (best practice)
Snapshot Brief
Five practical risk areas cover the most common security gaps teams encounter when adopting GLM models: weight integrity, license scope, prompt injection, API key management, and data privacy. Each has a concrete mitigation pattern that does not require advanced security expertise to implement.
Weight integrity and supply-chain verification
Downloading model weights from unverified mirrors is the single most common supply-chain risk when self-hosting open-weight models.
The GLM model family and the ChatGLM lineage are distributed primarily through the official Hugging Face organisation and the lab's GitHub repositories. Those channels are the only ones the upstream team controls. Community mirrors, re-upload accounts, and torrent distributions are not verified and carry meaningful risk of weight tampering — a modified weight file can produce outputs that differ from the canonical model in ways that are not immediately obvious from casual testing.
The practical mitigation is straightforward. Download weights from the canonical repository. Check the published SHA-256 or MD5 checksums for each file in the model directory against what you received. Most modern download tools (wget, curl, the Hugging Face CLI) support hash verification natively. Run the check as part of your deployment pipeline rather than as a one-time manual step, because the canonical checksums can themselves update when the upstream team patches a file.
For teams that need a more formal verification posture, the supply-chain security guidance in the NIST AI Risk Management Framework provides a structured way to categorise and document weight-integrity controls as part of a broader AI governance programme.
License review
The GLM family has shipped under at least three distinct license types across its generations — checking the model card for the specific build you use is not optional.
Not every GLM release is Apache 2.0. Earlier ChatGLM generations shipped under a custom model license that restricted certain commercial applications. Later releases relaxed some of those restrictions, and the code-specialised variants sometimes carry different terms from the base chat models in the same generation. The safest posture is to read the license section of the model card for the specific file set you are deploying, not the license that applied to an earlier generation you may have evaluated previously.
The hosted BigModel API adds another layer: the platform's own terms of service govern what you can build on top of the API response, independently of the model license. For most developer use cases the two documents are consistent, but enterprise procurement teams working on regulated or consumer-facing applications should review both before sign-off.
Prompt-injection risks
Prompt injection is a structural risk for any LLM used in a pipeline that accepts untrusted external input — and mitigation is architectural, not model-specific.
Prompt injection exploits the fact that most LLMs cannot reliably distinguish instructions embedded in a system prompt from instructions embedded in user-supplied content. An attacker who can place text in the user turn of a Z.ai or BigModel API call may be able to override system-prompt instructions if the pipeline does not structurally separate trusted context from untrusted input.
The primary mitigation is architectural: never interpolate raw user-supplied strings into the system message. Treat the system message as a template with clearly bounded substitution points, and sanitise any external content before it enters those points. For agentic pipelines where the model is calling tools based on user instructions, add a confirmation layer between the model's tool-call proposal and the actual tool execution — this breaks the injection chain before it reaches external systems.
Secondary mitigations include output monitoring (flag responses that include unexpected instruction-like patterns), rate limiting at the API key level to detect injection probing, and periodic red-team exercises against your own system prompts.
API key management for the BigModel platform
API keys for the BigModel platform follow the same hygiene rules as any cloud credential — per-environment rotation, least-privilege scope, and audit logging.
The BigModel console supports multiple API keys per account, which makes per-environment key isolation practical. Production, staging, and development environments should each use a distinct key so that a compromised development credential cannot reach production data or exhaust production budget. Keys should be rotated on a schedule — quarterly is a common baseline for lower-risk workloads, monthly for production workloads handling sensitive data.
Store keys in a secrets manager rather than in environment files committed to source control. Audit key usage logs from the console at least weekly in production; an unexpected spike in token consumption is often the first signal that a key has been leaked. The BigModel console surfaces per-key usage histograms that make this review quick once the habit is established.
Data privacy for hosted inference
Data sent to a hosted LLM API should be treated as potentially logged unless the data-processing agreement explicitly states otherwise — the prompt is the exposure surface.
Hosted inference through the BigModel API means that prompt content transits the platform's infrastructure. For regulated workloads — healthcare, finance, legal — this raises data residency and retention questions that need answers before production use. The platform publishes data-processing terms, and teams working in regulated verticals should obtain a copy and review it against their compliance obligations before committing to the hosted API for sensitive workloads.
For most developer workloads, the practical rule is simpler: redact personally identifiable information and sensitive business identifiers before including them in prompts. This is good hygiene regardless of the platform's specific terms, and it keeps the risk surface manageable without requiring a full compliance review for every experiment.
Risk summary table
Five risk categories, each with a plain-language note and a concrete mitigation pattern.
| Risk category | Note | Mitigation |
|---|---|---|
| Weight integrity | Mirrors and re-upload accounts are not verified by the upstream team | Download from canonical Hugging Face or GitHub; verify SHA-256 checksums in the pipeline |
| License scope | License terms vary across generations and variant types | Read the model card license section for the specific build you are deploying; do not assume Apache 2.0 |
| Prompt injection | Pipelines that accept untrusted input are structurally vulnerable | Separate system context from user input architecturally; sanitise before interpolation; add a tool-call confirmation step in agentic pipelines |
| API key exposure | Shared or long-lived keys increase blast radius of a credential leak | Use per-environment keys, store in a secrets manager, rotate on schedule, audit usage logs weekly |
| Data privacy | Prompt content transits platform infrastructure and may be logged | Redact PII before prompting; review data-processing agreement for regulated workloads |
Security questions
Five questions across two tabs address weight integrity, license compliance, prompt injection, API key hygiene, and data privacy for Z.ai deployments.
How do I verify GLM weight integrity before deployment?
Download weights only from the canonical Hugging Face repository or the official GitHub organisation. Check published SHA-256 checksums against the files you receive. Community mirrors and re-upload accounts are not verified by the upstream team and should be treated as untrusted until independently checked. Run the hash verification as part of your deployment pipeline, not as a one-time manual step.
What license restrictions apply to commercial GLM use?
The GLM family ships under several licenses depending on generation and variant. Some releases use a custom model license that restricts certain commercial applications; others use Apache 2.0. Read the model card for the specific build you are deploying — do not assume that the license from one generation carries forward to the next. The BigModel platform's own terms of service are a separate document and must be reviewed independently for hosted use.
What prompt-injection risks should I plan for when using Z.ai APIs?
Prompt injection is a risk for any LLM API used in an agentic or tool-calling pipeline. The mitigation is architectural: separate trusted system context from untrusted user input structurally, never interpolating user-supplied strings into system prompts without sanitisation. For agentic pipelines, add a confirmation step between the model's tool-call proposal and actual execution. The NIST AI RMF provides a useful framework for categorising these risks formally.
What sandbox pattern works for hosted Z.ai instances?
For hosted inference via the BigModel API, sandbox the integration at the network and IAM layer: rotate API keys per environment, restrict key scope to the minimum required model list, and log all requests for audit. For self-hosted open-weight deployments, run inference in an isolated container with no outbound network access beyond a defined allowlist. Neither pattern requires specialised AI security tooling — standard cloud-infrastructure hygiene covers the main risks.
How should I handle data sent to the BigModel API for privacy compliance?
Treat any data sent to a hosted LLM API as potentially logged for abuse-detection and model-improvement purposes unless the provider's data-processing agreement explicitly states otherwise. Redact PII and sensitive identifiers before passing them in prompts. For regulated workloads, review the platform's data-residency and retention commitments before production use — and get that review in writing from procurement, not just informally from an engineering call.
Related reference pages for teams evaluating Z.ai for production
Links from this security page to the adjacent reference pages that production teams typically need alongside a security review.
A security review of a platform is only one part of a production evaluation. Teams that have worked through the risk categories on this page typically next want the open platform reference for the full account and key-management surface, the API reference for the endpoint contract and authentication pattern, and the pricing reference for budget planning. For teams deploying GLM models self-hosted, the GitHub presence hosts the model cards and inference code. The editorial scope page explains how this reference handles sourcing, so security teams know what to verify independently. The resource hub points to community forums and support channels for questions outside the scope of this reference. For any concerns about this site's own editorial practices, the reach-team page has contact details.