ClawHub
Back to skill
v0.1.0

Peft Fine Tuning

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:53 AM.

Analysis

This is a coherent instruction-only PEFT fine-tuning guide; the main thing to notice is that following it involves installing large ML packages and optionally building a dependency from source.

GuidanceThis skill appears safe as an instruction guide. Before following the examples, use a virtual environment or container, review package and model sources, pin versions where possible, and avoid optional source builds unless you specifically need them for your CUDA setup.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
dependencies: [peft>=0.13.0, transformers>=4.45.0, torch>=2.0.0, bitsandbytes>=0.43.0] ... pip install peft transformers accelerate bitsandbytes datasets

The skill directs the user to install external ML packages using minimum version ranges rather than pinned versions. This is expected for a PEFT fine-tuning guide, but it is still a supply-chain point users should verify.

User impactFollowing the guide may install or upgrade large third-party Python packages in the user's environment.
RecommendationInstall in a virtual environment or container, pin versions for reproducibility, and use trusted package indexes.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
references/troubleshooting.md
git clone https://github.com/TimDettmers/bitsandbytes.git
cd bitsandbytes
CUDA_VERSION=118 make cuda11x
pip install .

The troubleshooting guide includes an optional source build and local install path for bitsandbytes. This is purpose-aligned for CUDA troubleshooting, but source builds run code from the referenced repository.

User impactIf the user follows this optional troubleshooting path, they will build and install native code locally.
RecommendationOnly use the source-build path when needed, verify the repository and commit, and prefer isolated build environments.