Fine-Tuning
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: fine-tuning Version: 1.0.0 The OpenClaw AgentSkills skill bundle is benign. All files (SKILL.md, compliance.md, costs.md, data-prep.md, evaluation.md, providers.md, training.md) contain documentation and code snippets directly related to fine-tuning Large Language Models. The Python and Bash code examples demonstrate standard, legitimate operations such as data validation, deduplication, model training with libraries like Unsloth, interaction with OpenAI APIs for fine-tuning, and local package/model downloads for air-gapped environments. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection with harmful intent, or obfuscation. The content is purely instructional and functional for its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Training data may leave the local environment and be processed by a third-party provider.
The example uploads a local training dataset to an external provider for fine-tuning. This is expected for the skill's purpose, but it is a sensitive data flow.
file = client.files.create(
file=open("training.jsonl", "rb"),
purpose="fine-tune"
)Only upload approved datasets, run the PII and compliance checks first, and verify the provider's data retention, training, and DPA terms.
Running the example could consume account quota, incur cost, and create persistent provider-side resources.
The example creates a fine-tuning job through a provider account, which implies use of provider credentials and billing authority. This is purpose-aligned and disclosed, but still high-impact account activity.
job = client.fine_tuning.jobs.create(
training_file=file.id,
model="gpt-4o-mini-2024-07-18"Confirm the target account, project, model, billing limits, and dataset before creating any fine-tuning job.
If copied directly, users may install or transfer dependencies and model files whose exact versions are not fixed in the documentation.
The optional air-gapped setup examples download packages and model artifacts without pinned versions or hashes. This is common for ML setup guidance, but users should verify provenance.
pip download torch transformers unsloth -d ./packages/ huggingface-cli download meta-llama/Llama-3.1-8B --local-dir ./models/
Pin package versions, record hashes, use trusted registries, and verify model licenses and checksums before installation or transfer.
Sensitive or private examples included in training data could be reproduced by the fine-tuned model later.
The documentation explicitly acknowledges that trained model state can retain or regurgitate training examples. This is a relevant persistent-data risk for fine-tuning and is appropriately disclosed.
Fine-tuned models can memorize training data. Test for:
Remove or redact sensitive data before training, run memorization tests, limit epochs where needed, and apply privacy safeguards such as differential privacy for sensitive use cases.