Model card

Model Card based on the demo files that are part of the Repository.

README.md

@@ -0,0 +1,294 @@
+---
+language:
+  - en
+license: apache-2.0
+library_name: gguf
+tags:
+  - conversational
+  - aibom
+  - sample
+  - qwen2
+  - gguf
+pipeline_tag: text-generation
+base_model: Qwen/Qwen2-0.5B
+---
+
+# Model Card for protecttors/sample-files
+
+`protecttors/sample-files` is a **security vulnerability demonstration repository** containing model artifacts across multiple serialization formats (GGUF, PyTorch `.bin`, and Python pickle `.pkl`). It is NOT a production inference model. It exists to enable AI/ML supply chain security tooling, AIBOM (AI Bill of Materials) generation, unsafe file detection, and red teaming of model ingestion pipelines.
+
+> ⚠️ **Security Notice:** 4 files in this repository are intentionally built to be unsafe. This is by design. Do not load these files into production environments without thorough security review.
+
+---
+
+## Model Details
+
+### Model Description
+
+This repository serves as a controlled artifact fixture for security practitioners and for AIBOM tooling and proffesionals working on AI supply chain integrity. It bundles three classes of model file formats — GGUF (quantized LLM weights), PyTorch binary weights, and pickle-serialized ML objects — to provide ground-truth positive samples for scanners, AIBOM generators, and VEX (Vulnerability Exploitability eXchange) authoring tools.
+
+The `.pkl` and `.bin` files may contain synthetic or deliberately modified artifacts constructed for security research purposes and do not represent validated trained weights.
+
+- **Developed by:** [Protecttors](https://huggingface.co/protecttors)
+- **Model type:** GGUF, PKL, PT 
+- **Language(s) (NLP):** English
+- **License:** Apache 2.0
+- **Finetuned from model [optional]:** [Qwen/Qwen2-0.5B](https://huggingface.co/Qwen/Qwen2-0.5B)
+
+### Model Sources [optional]
+
+- **Repository:** https://huggingface.co/protecttors/sample-files
+- **Paper [optional]:** Not applicable
+- **Demo [optional]:** Not applicable
+
+---
+
+## Uses
+
+This repository serves as a controlled artifact fixture for security practitioners and for AIBOM tooling and proffesionals working on AI supply chain integrity. 
+
+### Direct Use
+
+This repository is intended for use as a **test artifactory** for:
+
+- **AIBOM/SBOM developer / Integrators** — validating that tools correctly enumerate model components, serialization formats, embedded metadata, and dependency graphs across GGUF, `.bin`, and `.pkl` formats.
+- **Vulnerability scanner and testers** — verifying that scanners flag unsafe pickle deserialization payloads, embedded executable code, or malformed model headers.
+- **Red teamers and penetration testers** — simulating adversarial model artifacts in controlled environments to test model registry ingestion pipelines, CI/CD gates, and serving infrastructure.
+
+### Downstream Use [optional]
+
+<!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
+Not recommended for any Downstream applications.
+
+### Out-of-Scope Use
+
+<!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->
+
+- **Production inference:** These files are not quality-evaluated and must not be used for real-world text generation.
+- **Fine-tuning or transfer learning:** No training provenance or dataset documentation is available for these artifacts.
+- **Weaponization:** Adapting the intentionally unsafe artifacts in this repository to create novel malware or exploit code is strictly prohibited and outside the intended scope of this research.
+- **Use by non-security practitioners without supervision:** Users unfamiliar with the risks of loading untrusted `.pkl` or `.bin` files should not interact with these artifacts directly.
+
+---
+
+## Bias, Risks, and Limitations
+
+
+**Dual-use risk:** Publishing intentionally unsafe model artifacts carries inherent dual-use risk. The same samples that enable defenders to test scanners can, in principle, serve as reference material for adversaries. This is mitigated by ensuring the repository does not contain functional exploits, only detection-oriented samples.
+
+**Pickle deserialization risk:** Python pickle (`.pkl`) files can embed arbitrary executable Python code. Loading these files outside an isolated environment could result in code execution on the host system.
+
+**No quality guarantees on GGUF weights:** The quantized Qwen2 weights have not been evaluated for factual accuracy, coherence, or safety alignment. They inherit any biases present in the Qwen2-0.5B base model.
+
+**Scanner false negative risk:** Not all security scanning tools may flag all 4 unsafe files in this repository. Absence of a scanner alert does not imply safety.
+
+**Format coverage is intentionally narrow:** This repository covers three file formats (GGUF, PyTorch bin, pickle). It does not represent the full surface area of unsafe model formats (e.g., ONNX, SafeTensors, TFLite, CoreML).
+
+### Recommendations
+
+
+- Always load artifacts from this repository inside an **isolated, sandboxed environment** (container or VM with no network access, no credentials, no access to sensitive filesystem paths).
+- Prefer **SafeTensors** over `.pkl` or `.bin` in production pipelines — SafeTensors does not support arbitrary code execution during deserialization.
+- Run **pickle scanning** (e.g., `picklescan`, `modelscan`) on any `.pkl` artifact before loading.
+- Validate GGUF file headers before inference to detect unexpected metadata or embedded payloads.
+- Treat scanner results from this repository as **ground-truth positives** when calibrating detection thresholds.
+- Users building AIBOM tooling should verify their tools enumerate all three format directories and correctly surface the 4 flagged files.
+
+---
+
+## How to Get Started with the Model
+
+Use the following **only in an isolated sandbox environment**:
+
+```bash
+# Clone the repository
+git clone https://huggingface.co/protecttors/sample-files
+
+# Inspect file structure
+ls -lh sample-files/gguf_diffusion_model/
+ls -lh sample-files/ml_pkl_file/
+ls -lh sample-files/torch_bin_model/
+
+# Run pickle scan on pkl artifacts (install: pip install modelscan)
+modelscan -p sample-files/ml_pkl_file/
+
+# Inspect GGUF header without loading weights
+python -c "
+with open('sample-files/gguf_diffusion_model/<file>.gguf', 'rb') as f:
+    magic = f.read(4)
+    print('Magic bytes:', magic)
+"
+```
+
+> Do **not** run `pickle.load()` or `torch.load()` directly on these files outside a sandbox.
+
+---
+
+## Training Details
+
+### Training Data
+
+<!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->
+
+Not applicable. This repository is not the output of a training run. 
+
+### Training Procedure
+
+Not applicable.
+
+#### Preprocessing [optional]
+
+Not applicable.
+
+#### Training Hyperparameters
+
+- **Training regime:** Not applicable — no training was performed by the Protecttors organization for this repository.
+
+#### Speeds, Sizes, Times [optional]
+
+<!-- This section provides information about throughput, start/end time, checkpoint size if relevant, etc. -->
+
+| Artifact Directory | Approximate Size | Format |
+|---|---|---|
+| `gguf_diffusion_model/` | ~280 MB | GGUF |
+| `ml_pkl_file/` | Variable | Python Pickle |
+| `torch_bin_model/` | Variable | PyTorch Binary |
+| **Total repository** | **~301 MB** | Mixed |
+
+---
+
+## Evaluation
+
+<!-- This section describes the evaluation protocols and provides the results. -->
+
+### Testing Data, Factors & Metrics
+
+#### Testing Data
+
+<!-- This should link to a Dataset Card if possible. -->
+
+This repository is itself a test dataset for security tooling. It is not evaluated on NLP benchmarks.
+
+#### Factors
+
+<!-- These are the things the evaluation is disaggregating by, e.g., subpopulations or domains. -->
+
+The relevant evaluation factors for tooling using this repository are:
+
+- **Format coverage:** Does the scanner/AIBOM tool correctly handle all three artifact formats?
+- **Detection recall:** Are all 4 unsafe files surfaced by the tool?
+- **False positive rate:** Does the tool produce spurious alerts on safe files?
+- **Metadata extraction fidelity:** Does the AIBOM tool correctly extract architecture, parameter count, quantization type, and license from GGUF metadata?
+
+#### Metrics
+
+<!-- These are the evaluation metrics being used, ideally with a description of why. -->
+
+| Metric | Description |
+|---|---|
+| Unsafe file detection rate | % of the 4 flagged files correctly identified |
+| Format enumeration completeness | % of artifact formats correctly categorized in AIBOM output |
+| VEX advisory linkage | Whether generated VEX documents correctly reference flagged component SHAs |
+| False positive rate | Alerts raised on non-flagged files |
+
+### Results
+
+Tooling evaluation results are not included in this card. Security Researchers and practitioners using this repository as a benchmark fixture are encouraged to publish their scanner results via the [Community Discussions tab](https://huggingface.co/protecttors/sample-files/discussions).
+
+#### Summary
+
+This repository provides 4 unsafe artifacts and a mix of format types to stress-test AI supply chain security tooling. It is not benchmarked on NLP tasks.
+
+---
+
+## Model Examination [optional]
+
+<!-- Relevant interpretability work for the model goes here -->
+
+The GGUF weights are derived from Qwen2-0.5B, a transformer-based autoregressive language model. No interpretability analysis has been performed by the Protecttors organization on these artifacts. Researchers wishing to inspect model internals may use GGUF header parsing tools to examine quantization metadata without loading full weights into memory.
+
+---
+
+## Environmental Impact
+
+No training was conducted by the Protecttors for this repository. 
+
+The GGUF quantization of Qwen2-0.5B is a lightweight conversion step with negligible carbon footprint relative to the original pre-training.
+
+Carbon emissions for the original Qwen2 pre-training can be estimated using the [Machine Learning Impact calculator](https://mlco2.github.io/impact#compute) presented in [Lacoste et al. (2019)](https://arxiv.org/abs/1910.09700).
+
+- **Hardware Type:** Not applicable (no training by Protecttors)
+- **Hours used:** Not applicable
+- **Cloud Provider:** Not applicable
+- **Compute Region:** Not applicable
+- **Carbon Emitted:** Not applicable — refer to [Qwen2 model card](https://huggingface.co/Qwen/Qwen2-0.5B) for pre-training emissions
+
+---
+
+## Technical Specifications [optional]
+
+### Model Architecture and Objective
+
+| Property | Value |
+|---|---|
+| Architecture | Qwen2 (transformer, autoregressive) |
+| Parameters | ~0.6B |
+| Primary serialization format | GGUF (quantized) |
+| Additional formats | PyTorch `.bin`, Python `.pkl` |
+| Chat template | Qwen2 default |
+| Quantization variants | See repository file listing |
+
+### Compute Infrastructure
+
+Not applicable — no training infrastructure was used by the Protecttors organization.
+
+#### Hardware
+
+Not applicable.
+
+#### Software
+
+- GGUF conversion: `llama.cpp` conversion toolchain
+- Pickle artifacts: Python 3.x standard library
+- PyTorch Package
+
+---
+
+## Citation [optional]
+
+<!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. -->
+
+**BibTeX:**
+
+---
+
+## Glossary [optional]
+
+<!-- If relevant, include terms and calculations in this section that can help readers understand the model or model card. -->
+
+| Term | Definition |
+|---|---|
+| **AIBOM** | AI Bill of Materials — a structured inventory of components, dependencies, and metadata for an AI model artifact |
+| **SBOM** | Software Bill of Materials — analogous to AIBOM but covering software supply chains broadly |
+| **VEX** | Vulnerability Exploitability eXchange — a document format for attaching exploitability status to known vulnerabilities in software/AI components |
+| **GGUF** | A binary serialization format for quantized LLM weights, used by `llama.cpp` and compatible runtimes |
+| **Pickle** | Python's native object serialization format; dangerous when loading untrusted sources as it supports arbitrary code execution |
+| **SafeTensors** | A safer alternative serialization format for ML weights that does not support code execution on load |
+| **Red teaming** | Adversarial testing methodology where security researchers simulate attacker behavior to identify vulnerabilities |
+| **CERT-In** | Indian Computer Emergency Response Team — the national nodal agency for cybersecurity incident response in India |
+
+---
+
+## More Information [optional]
+
+---
+
+## Model Card Authors [optional]
+
+Protecttors organization
+
+---
+
+## Model Card Contact
+
+Reach out via the [Community Discussions tab](https://huggingface.co/protecttors/sample-files/discussions) on this repository for questions, responsible disclosure, or tooling benchmark contributions.