Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Doc-to-LoRA
v1.2.0Internalize a document into a small language model (Gemma 2 2B) using Doc-to-LoRA so it can answer questions WITHOUT the document in the prompt. Use when the...
⭐ 0· 249·1 current·1 all-time
byManoj Bhat@manojbhat09
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the artifacts: Python scripts to internalize documents and query adapters, MLX and PyTorch paths, and a setup script that downloads model/checkpoint weights. Required binaries (python3, uv) and HF_TOKEN are appropriate for downloading gated Gemma weights and running the workflows.
Instruction Scope
SKILL.md and scripts restrict actions to loading local checkpoints, internalizing provided documents, exporting adapters, and querying models. The instructions require cloning the repo and running setup.sh; they don't ask the agent to read unrelated system files. However the runtime explicitly uses torch.load(weights_only=False) which loads pickled Python objects from checkpoints — this can execute arbitrary code if a checkpoint is malicious, and the skill relies on the user trusting the SakanaAI/HuggingFace checkpoint source.
Install Mechanism
No install spec (instruction-only) reduces automatic risk. setup.sh uses uv pip install with pinned packages and huggingface-cli to download weights from a named HuggingFace repo (SakanaAI/doc-to-lora). Downloads come from a public registry (HuggingFace) rather than an arbitrary URL. This is reasonable for the purpose.
Credentials
Only HF_TOKEN is required and is justified (gated Gemma model access). No unrelated credentials or broad system config paths are requested.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide privileges. setup.sh writes .venv and model files into the repo (expected). The skill does not modify other skills' configs or request system-level privileges.
Scan Findings in Context
[TORCH_LOAD_WEIGHTS_ONLY_FALSE] expected: internalize.py calls torch.load(..., weights_only=False) because checkpoints include Python dataclasses; this is necessary for the D2L checkpoint format but means loading checkpoints can execute pickled Python objects. The SKILL.md warns to only use trusted checkpoints.
[HUGGINGFACE_CLI_DOWNLOAD] expected: setup.sh uses huggingface-cli to download pretrained weights from SakanaAI/doc-to-lora. This is consistent with the skill's need to obtain model/checkpoint artifacts.
Assessment
This skill appears to do what it claims: generate and apply LoRA adapters for Gemma 2 2B on macOS. Before installing: 1) Only set HF_TOKEN if you trust the HuggingFace account(s) and repos referenced (the script downloads from SakanaAI/doc-to-lora and the base model is gated). 2) Understand that torch.load(..., weights_only=False) can execute code embedded in a checkpoint; only use checkpoints from trusted sources and verify commit hashes/checksums as suggested in SKILL.md. 3) Run setup and model downloads in an isolated environment (container or VM) if you are uncomfortable giving HF_TOKEN or allowing large downloads on your machine. 4) Be aware the skill will create a .venv and write model weights to disk (~7–10 GB). 5) If you want stricter network control, review or run the scripts manually rather than granting an autonomous agent permission to run them. If you need, ask me to list exact places to verify on the HuggingFace repo (commit hash, model files, and safetensors usage) or to walk through running setup in a sandboxed environment.scripts/internalize.py:82
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97c4b58bd15csfbb9jph21shx82zdwf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSmacOS
Binspython3, uv
EnvHF_TOKEN