Hugging Face's logo

protecttors
/
sample-files

Text Generation
GGUF
English
conversational
aibom
sample
qwen2
Model card Files
xet
 Community
How to use from the
Use from the
llama-cpp-python library
# !pip install llama-cpp-python

from llama_cpp import Llama

llm = Llama.from_pretrained(
	repo_id="protecttors/sample-files",
	filename="gguf_diffusion_model/retr0reg.gguf",
)

llm.create_chat_completion(
	messages = [
		{
			"role": "user",
			"content": "What is the capital of France?"
		}
	]
)

Model Card for protecttors/sample-files

protecttors/sample-files is a security vulnerability demonstration repository containing model artifacts across multiple serialization formats (GGUF, PyTorch .bin, and Python pickle .pkl). It is NOT a production inference model. It exists to enable AI/ML supply chain security tooling, AIBOM (AI Bill of Materials) generation, unsafe file detection, and red teaming of model ingestion pipelines.

โš ๏ธ Security Notice: 4 files in this repository are intentionally built to be unsafe. This is by design. Do not load these files into production environments without thorough security review.

Model Details

Model Description

This repository serves as a controlled artifact fixture for security practitioners and for AIBOM tooling and proffesionals working on AI supply chain integrity. It bundles three classes of model file formats โ€” GGUF (quantized LLM weights), PyTorch binary weights, and pickle-serialized ML objects โ€” to provide ground-truth positive samples for scanners, AIBOM generators, and VEX (Vulnerability Exploitability eXchange) authoring tools.

The .pkl and .bin files may contain synthetic or deliberately modified artifacts constructed for security research purposes and do not represent validated trained weights.

  • Developed by: Protecttors
  • Model type: GGUF, PKL, PT
  • Language(s) (NLP): English
  • License: Apache 2.0
  • Finetuned from model [optional]: Qwen/Qwen2-0.5B

Model Sources [optional]

Uses

This repository serves as a controlled artifact fixture for security practitioners and for AIBOM tooling and proffesionals working on AI supply chain integrity.

Direct Use

This repository is intended for use as a test artifactory for:

  • AIBOM/SBOM developer / Integrators โ€” validating that tools correctly enumerate model components, serialization formats, embedded metadata, and dependency graphs across GGUF, .bin, and .pkl formats.
  • Vulnerability scanner and testers โ€” verifying that scanners flag unsafe pickle deserialization payloads, embedded executable code, or malformed model headers.
  • Red teamers and penetration testers โ€” simulating adversarial model artifacts in controlled environments to test model registry ingestion pipelines, CI/CD gates, and serving infrastructure.

Downstream Use [optional]

Not recommended for any Downstream applications.

Out-of-Scope Use

  • Production inference: These files are not quality-evaluated and must not be used for real-world text generation.
  • Fine-tuning or transfer learning: No training provenance or dataset documentation is available for these artifacts.
  • Weaponization: Adapting the intentionally unsafe artifacts in this repository to create novel malware or exploit code is strictly prohibited and outside the intended scope of this research.
  • Use by non-security practitioners without supervision: Users unfamiliar with the risks of loading untrusted .pkl or .bin files should not interact with these artifacts directly.

Bias, Risks, and Limitations

Dual-use risk: Publishing intentionally unsafe model artifacts carries inherent dual-use risk. The same samples that enable defenders to test scanners can, in principle, serve as reference material for adversaries. This is mitigated by ensuring the repository does not contain functional exploits, only detection-oriented samples.

Pickle deserialization risk: Python pickle (.pkl) files can embed arbitrary executable Python code. Loading these files outside an isolated environment could result in code execution on the host system.

No quality guarantees on GGUF weights: The quantized Qwen2 weights have not been evaluated for factual accuracy, coherence, or safety alignment. They inherit any biases present in the Qwen2-0.5B base model.

Scanner false negative risk: Not all security scanning tools may flag all 4 unsafe files in this repository. Absence of a scanner alert does not imply safety.

Format coverage is intentionally narrow: This repository covers three file formats (GGUF, PyTorch bin, pickle). It does not represent the full surface area of unsafe model formats (e.g., ONNX, SafeTensors, TFLite, CoreML).

Recommendations

  • Always load artifacts from this repository inside an isolated, sandboxed environment (container or VM with no network access, no credentials, no access to sensitive filesystem paths).
  • Prefer SafeTensors over .pkl or .bin in production pipelines โ€” SafeTensors does not support arbitrary code execution during deserialization.
  • Run pickle scanning (e.g., picklescan, modelscan) on any .pkl artifact before loading.
  • Validate GGUF file headers before inference to detect unexpected metadata or embedded payloads.
  • Treat scanner results from this repository as ground-truth positives when calibrating detection thresholds.
  • Users building AIBOM tooling should verify their tools enumerate all three format directories and correctly surface the 4 flagged files.

How to Get Started with the Model

Use the following only in an isolated sandbox environment:

# Clone the repository
git clone https://huggingface.co/protecttors/sample-files

# Inspect file structure
ls -lh sample-files/gguf_diffusion_model/
ls -lh sample-files/ml_pkl_file/
ls -lh sample-files/torch_bin_model/

# Run pickle scan on pkl artifacts (install: pip install modelscan)
modelscan -p sample-files/ml_pkl_file/

# Inspect GGUF header without loading weights
python -c "
with open('sample-files/gguf_diffusion_model/<file>.gguf', 'rb') as f:
    magic = f.read(4)
    print('Magic bytes:', magic)
"

Do not run pickle.load() or torch.load() directly on these files outside a sandbox.

Training Details

Training Data

Not applicable. This repository is not the output of a training run.

Training Procedure

Not applicable.

Preprocessing [optional]

Not applicable.

Training Hyperparameters

  • Training regime: Not applicable โ€” no training was performed by the Protecttors organization for this repository.

Evaluation

Testing Data, Factors & Metrics

Testing Data

This repository is itself a test dataset for security tooling. It is not evaluated on NLP benchmarks.

Factors

The relevant evaluation factors for tooling using this repository are:

  • Format coverage: Does the scanner/AIBOM tool correctly handle all three artifact formats?
  • Detection recall: Are all 4 unsafe files surfaced by the tool?
  • False positive rate: Does the tool produce spurious alerts on safe files?
  • Metadata extraction fidelity: Does the AIBOM tool correctly extract architecture, parameter count, quantization type, and license from GGUF metadata?

Metrics

Metric Description
Unsafe file detection rate % of the 4 flagged files correctly identified
Format enumeration completeness % of artifact formats correctly categorized in AIBOM output
VEX advisory linkage Whether generated VEX documents correctly reference flagged component SHAs
False positive rate Alerts raised on non-flagged files

Results

Tooling evaluation results are not included in this card. Security Researchers and practitioners using this repository as a benchmark fixture are encouraged to publish their scanner results via the Community Discussions tab.

Summary

This repository provides 4 unsafe artifacts and a mix of format types to stress-test AI supply chain security tooling. It is not benchmarked on NLP tasks.

Model Examination [optional]

The GGUF weights are derived from Qwen2-0.5B, a transformer-based autoregressive language model. No interpretability analysis has been performed by the Protecttors organization on these artifacts. Researchers wishing to inspect model internals may use GGUF header parsing tools to examine quantization metadata without loading full weights into memory.

Environmental Impact

No training was conducted by the Protecttors for this repository.

The GGUF quantization of Qwen2-0.5B is a lightweight conversion step with negligible carbon footprint relative to the original pre-training.

  • Hardware Type: Not applicable (no training by Protecttors)
  • Hours used: Not applicable
  • Cloud Provider: Not applicable
  • Compute Region: Not applicable
  • Carbon Emitted: Not applicable โ€” refer to Qwen2 model card for pre-training emissions

Technical Specifications [optional]

Model Architecture and Objective

Property Value
Architecture Qwen2 (transformer, autoregressive)
Parameters ~0.6B
Primary serialization format GGUF (quantized)
Additional formats PyTorch .bin, Python .pkl
Chat template Qwen2 default
Quantization variants See repository file listing

Compute Infrastructure

Not applicable โ€” no training infrastructure was used by the Protecttors organization.

Hardware

Not applicable.

Software

  • GGUF conversion: llama.cpp conversion toolchain
  • Pickle artifacts: Python 3.x standard library
  • PyTorch Package

Framework versions

  • Transformers 4.28.1
  • Pytorch 2.0.0+cu118
  • Datasets 2.11.0
  • Tokenizers 0.13.3
  • Tensorflow 2.19.1
  • tensorflow-gpu 2.10.1

Model Card Contact

Reach out via the Community Discussions tab on this repository for questions, responsible disclosure, or tooling benchmark contributions.

Downloads last month
732
GGUF
Model size
0.6B params
Architecture
qwen2
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
Text Generation
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support

Model tree for protecttors/sample-files

Base model

Qwen/Qwen2-0.5B
Quantized
(35)
this model