README.md

---
language:
  - en
license: apache-2.0
library_name: gguf
tags:
  - conversational
  - aibom
  - sample
  - qwen2
  - gguf
pipeline_tag: text-generation
base_model: Qwen/Qwen2-0.5B
---

# Model Card for protecttors/sample-files

`protecttors/sample-files` is a **security vulnerability demonstration repository** containing model artifacts across multiple serialization formats (GGUF, PyTorch `.bin`, and Python pickle `.pkl`). It is NOT a production inference model. It exists to enable AI/ML supply chain security tooling, AIBOM (AI Bill of Materials) generation, unsafe file detection, and red teaming of model ingestion pipelines.

> ⚠️ **Security Notice:** 4 files in this repository are intentionally built to be unsafe. This is by design. Do not load these files into production environments without thorough security review.

---

## Model Details

### Model Description

This repository serves as a controlled artifact fixture for security practitioners and for AIBOM tooling and proffesionals working on AI supply chain integrity. It bundles three classes of model file formats — GGUF (quantized LLM weights), PyTorch binary weights, and pickle-serialized ML objects — to provide ground-truth positive samples for scanners, AIBOM generators, and VEX (Vulnerability Exploitability eXchange) authoring tools.

The `.pkl` and `.bin` files may contain synthetic or deliberately modified artifacts constructed for security research purposes and do not represent validated trained weights.

- **Developed by:** [Protecttors](https://huggingface.co/protecttors)
- **Model type:** GGUF, PKL, PT 
- **Language(s) (NLP):** English
- **License:** Apache 2.0
- **Finetuned from model [optional]:** [Qwen/Qwen2-0.5B](https://huggingface.co/Qwen/Qwen2-0.5B)

### Model Sources [optional]

- **Repository:** https://huggingface.co/protecttors/sample-files
- **Paper [optional]:** Not applicable
- **Demo [optional]:** Not applicable

---

## Uses

This repository serves as a controlled artifact fixture for security practitioners and for AIBOM tooling and proffesionals working on AI supply chain integrity. 

### Direct Use

This repository is intended for use as a **test artifactory** for:

- **AIBOM/SBOM developer / Integrators** — validating that tools correctly enumerate model components, serialization formats, embedded metadata, and dependency graphs across GGUF, `.bin`, and `.pkl` formats.
- **Vulnerability scanner and testers** — verifying that scanners flag unsafe pickle deserialization payloads, embedded executable code, or malformed model headers.
- **Red teamers and penetration testers** — simulating adversarial model artifacts in controlled environments to test model registry ingestion pipelines, CI/CD gates, and serving infrastructure.

### Downstream Use [optional]

<!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
Not recommended for any Downstream applications.

### Out-of-Scope Use

<!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->

- **Production inference:** These files are not quality-evaluated and must not be used for real-world text generation.
- **Fine-tuning or transfer learning:** No training provenance or dataset documentation is available for these artifacts.
- **Weaponization:** Adapting the intentionally unsafe artifacts in this repository to create novel malware or exploit code is strictly prohibited and outside the intended scope of this research.
- **Use by non-security practitioners without supervision:** Users unfamiliar with the risks of loading untrusted `.pkl` or `.bin` files should not interact with these artifacts directly.

---

## Bias, Risks, and Limitations


**Dual-use risk:** Publishing intentionally unsafe model artifacts carries inherent dual-use risk. The same samples that enable defenders to test scanners can, in principle, serve as reference material for adversaries. This is mitigated by ensuring the repository does not contain functional exploits, only detection-oriented samples.

**Pickle deserialization risk:** Python pickle (`.pkl`) files can embed arbitrary executable Python code. Loading these files outside an isolated environment could result in code execution on the host system.

**No quality guarantees on GGUF weights:** The quantized Qwen2 weights have not been evaluated for factual accuracy, coherence, or safety alignment. They inherit any biases present in the Qwen2-0.5B base model.

**Scanner false negative risk:** Not all security scanning tools may flag all 4 unsafe files in this repository. Absence of a scanner alert does not imply safety.

**Format coverage is intentionally narrow:** This repository covers three file formats (GGUF, PyTorch bin, pickle). It does not represent the full surface area of unsafe model formats (e.g., ONNX, SafeTensors, TFLite, CoreML).

### Recommendations


- Always load artifacts from this repository inside an **isolated, sandboxed environment** (container or VM with no network access, no credentials, no access to sensitive filesystem paths).
- Prefer **SafeTensors** over `.pkl` or `.bin` in production pipelines — SafeTensors does not support arbitrary code execution during deserialization.
- Run **pickle scanning** (e.g., `picklescan`, `modelscan`) on any `.pkl` artifact before loading.
- Validate GGUF file headers before inference to detect unexpected metadata or embedded payloads.
- Treat scanner results from this repository as **ground-truth positives** when calibrating detection thresholds.
- Users building AIBOM tooling should verify their tools enumerate all three format directories and correctly surface the 4 flagged files.

---

## How to Get Started with the Model

Use the following **only in an isolated sandbox environment**:

```bash
# Clone the repository
git clone https://huggingface.co/protecttors/sample-files

# Inspect file structure
ls -lh sample-files/gguf_diffusion_model/
ls -lh sample-files/ml_pkl_file/
ls -lh sample-files/torch_bin_model/

# Run pickle scan on pkl artifacts (install: pip install modelscan)
modelscan -p sample-files/ml_pkl_file/

# Inspect GGUF header without loading weights
python -c "
with open('sample-files/gguf_diffusion_model/<file>.gguf', 'rb') as f:
    magic = f.read(4)
    print('Magic bytes:', magic)
"
```

> Do **not** run `pickle.load()` or `torch.load()` directly on these files outside a sandbox.

---

## Training Details

### Training Data

<!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->

Not applicable. This repository is not the output of a training run. 

### Training Procedure

Not applicable.

#### Preprocessing [optional]

Not applicable.

#### Training Hyperparameters

- **Training regime:** Not applicable — no training was performed by the Protecttors organization for this repository.
---

## Evaluation

<!-- This section describes the evaluation protocols and provides the results. -->

### Testing Data, Factors & Metrics

#### Testing Data

This repository is itself a test dataset for security tooling. It is not evaluated on NLP benchmarks.

#### Factors

The relevant evaluation factors for tooling using this repository are:

- **Format coverage:** Does the scanner/AIBOM tool correctly handle all three artifact formats?
- **Detection recall:** Are all 4 unsafe files surfaced by the tool?
- **False positive rate:** Does the tool produce spurious alerts on safe files?
- **Metadata extraction fidelity:** Does the AIBOM tool correctly extract architecture, parameter count, quantization type, and license from GGUF metadata?

#### Metrics

<!-- These are the evaluation metrics being used, ideally with a description of why. -->

| Metric | Description |
|---|---|
| Unsafe file detection rate | % of the 4 flagged files correctly identified |
| Format enumeration completeness | % of artifact formats correctly categorized in AIBOM output |
| VEX advisory linkage | Whether generated VEX documents correctly reference flagged component SHAs |
| False positive rate | Alerts raised on non-flagged files |

### Results

Tooling evaluation results are not included in this card. Security Researchers and practitioners using this repository as a benchmark fixture are encouraged to publish their scanner results via the [Community Discussions tab](https://huggingface.co/protecttors/sample-files/discussions).

#### Summary

This repository provides 4 unsafe artifacts and a mix of format types to stress-test AI supply chain security tooling. It is not benchmarked on NLP tasks.

---

## Model Examination [optional]

The GGUF weights are derived from Qwen2-0.5B, a transformer-based autoregressive language model. No interpretability analysis has been performed by the Protecttors organization on these artifacts. Researchers wishing to inspect model internals may use GGUF header parsing tools to examine quantization metadata without loading full weights into memory.

---

## Environmental Impact

No training was conducted by the Protecttors for this repository. 

The GGUF quantization of Qwen2-0.5B is a lightweight conversion step with negligible carbon footprint relative to the original pre-training.

- **Hardware Type:** Not applicable (no training by Protecttors)
- **Hours used:** Not applicable
- **Cloud Provider:** Not applicable
- **Compute Region:** Not applicable
- **Carbon Emitted:** Not applicable — refer to [Qwen2 model card](https://huggingface.co/Qwen/Qwen2-0.5B) for pre-training emissions

---

## Technical Specifications [optional]

### Model Architecture and Objective

| Property | Value |
|---|---|
| Architecture | Qwen2 (transformer, autoregressive) |
| Parameters | ~0.6B |
| Primary serialization format | GGUF (quantized) |
| Additional formats | PyTorch `.bin`, Python `.pkl` |
| Chat template | Qwen2 default |
| Quantization variants | See repository file listing |

### Compute Infrastructure

Not applicable — no training infrastructure was used by the Protecttors organization.

#### Hardware

Not applicable.

#### Software

- GGUF conversion: `llama.cpp` conversion toolchain
- Pickle artifacts: Python 3.x standard library
- PyTorch Package


### Framework versions

- Transformers 4.28.1
- Pytorch 2.0.0+cu118
- Datasets 2.11.0
- Tokenizers 0.13.3
- Tensorflow 2.19.1
- tensorflow-gpu 2.10.1

## Model Card Contact

Reach out via the [Community Discussions tab](https://huggingface.co/protecttors/sample-files/discussions) on this repository for questions, responsible disclosure, or tooling benchmark contributions.