Add Implementation Workflow section to model card

README.md

@@ -71,6 +71,41 @@ The model can output these security actions:
 }
 ```
 
+## Implementation Workflow
+
+This model outputs JSON action blocks that your application must parse and execute. Here's the complete workflow:
+
+### 1. Model Generates JSON Instructions
+
+When you send user input to the model (e.g., "Check this suspicious link: bit.ly/malware-site"), it analyzes the threat and outputs structured JSON:
+
+```json
+{
+  "thought": "Suspicious URL detected",
+  "action": "scan_url",
+  "params": {"url": "bit.ly/malware-site"}
+}
+```
+
+### 2. Application Parses JSON
+
+Your Android app or Edge AI Service must:
+- Parse the JSON response from the model
+- Extract the `action` field to determine what security action to take
+- Extract the `params` object to get necessary parameters (URL, process ID, etc.)
+- Extract the `thought` field for logging/debugging
+
+### 3. Execute Security Actions
+
+Based on the action specified, your application implements the actual security function:
+
+- **`scan_url(url)`**: Integrate with a URL scanning service (e.g., Google Safe Browsing API, VirusTotal) to check if the link is malicious
+- **`kill_process(pid)`**: Use Android's `ActivityManager` or system APIs to terminate the suspicious application process
+- **`isolate_network()`**: Disable network connectivity using `ConnectivityManager` or firewall APIs to prevent data exfiltration
+- **`ignore()`**: No action needed - log the event and continue normal operation
+
+**Important**: The model does NOT perform these actions itself. It only generates the instructions. Your application must implement the actual security mechanisms.
+
 ## Usage
 
 ### Python