Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Step3-VL Finetune
v1.0.0Step3-VL-10B 多模态模型微调指南。用于在 GPU 服务器上进行 Step3-VL 模型的 LoRA/全量微调。包含配置、训练、推理完整流程。
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill is an instruction-only finetuning guide for Step3-VL and only declares python3 and CUDA_VISIBLE_DEVICES which are appropriate for GPU training. The requested environment variables and the guidance (LoRA, full-finetune, GPU settings) align with the stated purpose. However, the document includes hard-coded internal hostnames, container names, and repository/registry references (e.g., wphu@gpu506.aibee.cn, /data/algorithm/..., harbor.aibee.cn) that are not required to understand the finetuning steps and appear to be environment-specific examples.
Instruction Scope
The SKILL.md gives concrete runtime instructions relevant to finetuning: monkey-patching the model forward(), custom adapter save logic to bypass PEFT's vocab_size checks, moving loss tensors to GPU, data formats, and inference commands. These actions are within the domain of model finetuning. Notes of caution: monkey-patching and custom save logic intentionally bypass library safeguards — this is expected for a custom architecture but increases risk of silent failures or incompatible binaries. The document references internal HTTP endpoints and registry URLs but does not explicitly instruct the agent to exfiltrate data; still, these references could cause accidental network access if followed verbatim.
Install Mechanism
No install spec and no code files; the skill is instruction-only. That minimizes installer-related risk (nothing is downloaded or written by the skill itself).
Credentials
Only CUDA_VISIBLE_DEVICES is required, which is reasonable for GPU training. No credentials or secret environment variables are requested. That said, the instructions reference internal services, file paths, and a Docker image/registry which are not declared as required — these are likely environment-specific examples rather than required credentials.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always is false, no installs, no config writes specified). It does not attempt to modify other skills or system-wide agent settings.
Assessment
This guide appears to be a legitimate GPU finetuning how-to, but take the following precautions before using it unchanged:
- Treat the listed hostnames, container names, registry URLs, and internal IP (172.18.10.103) as environment-specific examples. Do not run commands that connect to those hosts unless you control/trust them.
- Run any code (monkey patches and the custom save_adapter) in an isolated environment (dedicated GPU machine or container) and back up original model checkpoints first. The guidance deliberately bypasses PEFT checks and monkey-patches model internals — this can produce incompatible or unsafe artifacts if misapplied.
- Verify the Docker image and any external services (harbor registry, vLLM endpoint) before pulling or sending data. Confirm licenses and data handling policies for the base model and any datasets used.
- Confirm NCCL/CUDA environment settings match your cluster and drivers; incorrect NCCL tweaks can impact other jobs on shared nodes.
- Inspect adapter_model.bin contents before sharing or uploading; the custom save routine produces a binary blob that could contain unexpected tensors.
If you want a higher-confidence assessment, provide any code files (model_utils.py, dataset.py, inference.py) referenced in the guide or clarify whether the hostnames and endpoints are placeholders or part of a network the agent will reach — that would allow a more specific check for network/credential misuse.Like a lobster shell, security has layers — review code before you run it.
latestvk979jf364n4yed941m40crzzg583yqjb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎯 Clawdis
OSLinux
Any binpython3
EnvCUDA_VISIBLE_DEVICES