ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

persona-model-trainer

v0.3.3

Fine-tune any HuggingFace instruction-tuned model (Gemma 4, Qwen 3, Llama, Phi, Mistral, and more) on persona data from anyone-skill. Produces a self-contain...

0· 63·0 current·0 all-time
byacnlabs@neiljo-gy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, reference docs, and included scripts (train.py, export.py, eval_probe.py, pipeline.sh, etc.) implement fine-tuning, evaluation, and export flows consistent with the skill description. However, the manifest declares no required binaries or environment variables even though the instructions expect tools like Python ≥3.11, Ollama, llama.cpp conversion scripts, vLLM, and optional HuggingFace pushes (which typically require HF credentials). The omission of required binaries/credentials is an inconsistency (likely intentional to keep things optional) but worth surfacing.
!
Instruction Scope
Instructions operate on local training data (training/ directory) as expected, but they also: (1) recommend pushing adapter weights and possibly training data to HuggingFace Hub (which entails credentials and external upload), (2) instruct integration with an external 'autoresearch' skill that will modify root-level train.py to run iterative hyperparameter search, and (3) add or overwrite files (root train.py, prepare.py, merged model directories, exported artifacts). The pre-scan detected prompt-injection patterns (e.g., 'system-prompt-override' style content) in SKILL.md; while some use of system prompts is expected for persona training, the presence of generic 'ignore-previous-instructions' / system-override patterns is a red flag because this skill directs the agent to modify and run code and to follow other skills' SKILL.md content — that combination increases the attack surface if a malicious autoresearch or external dependency is present.
Install Mechanism
No formal install spec (instruction-only) — lowest disk-write risk. The package includes many executable scripts and uses subprocess calls to local tools (ollama, llama.cpp converter, uv pip installs, vLLM launch scripts). There are no remote download URLs or opaque archives in the provided files; exports rely on local tools and Python packages. This is relatively low risk, but you must manually ensure the expected external binaries are installed from trustworthy sources.
Credentials
The skill declares no required environment variables or primary credentials, which is reasonable for a local training pipeline. However, some optional flows (pushing to HuggingFace via 'version.py push' or using cloud backends or third-party services) implicitly require credentials or configured CLI auth (HUGGINGFACE_TOKEN, ollama account, etc.) that are not declared. The absence of declared env requirements is not inherently malicious but is an omission you should be aware of before attempting 'push' or cloud upload steps.
Persistence & Privilege
always:false and no system config paths are requested — good. One area to note: the skill explicitly instructs using an autoresearch skill that will modify project-level scripts (root train.py wrapper) and may iterate by editing scripts/train.py hyperparameters. That grants the agent the ability to modify code in this skill's workspace and run it — acceptable for automated hyperparameter tuning but increases risk if you also grant the agent access to other skills or untrusted code. The skill does not request persistent global privileges or attempt to modify other skills' configuration files, but cross-skill code modification is present and should be treated cautiously.
Scan Findings in Context
[ignore-previous-instructions] unexpected: Pattern detected in SKILL.md pre-scan. Fine-tuning pipelines legitimately use system messages for persona profiles, but an 'ignore previous instructions' style phrase is not needed for training and could indicate a prompt-injection-style phrase embedded in documentation or templates. Inspect SKILL.md and any autogenerated notebooks/wrappers for text that attempts to override agent/system prompts.
[system-prompt-override] expected: The pipeline intentionally uses 'system' role prompts (profile.md injected as system prompt) during training and in output Modelfile templates; references to system prompts are expected for persona modeling. Still, because the skill instructs code changes and cross-skill invocation, any literal 'system prompt override' language should be reviewed to ensure it doesn't attempt to change the agent's runtime/system role in unexpected ways.
What to consider before installing
This skill largely does what it says (local persona fine-tuning) but you should not install blindly. Before running it: 1) Review training data for PII and remove/redact sensitive content (prepare_data.py helps but is not perfect). 2) Inspect scripts/train.py, scripts/export.py and any generated root-level wrappers for unexpected network calls or hardcoded remote endpoints. 3) Note the skill assumes external tools (Python 3.11+, torch/peft/bitsandbytes, ollama, llama.cpp convert script, vLLM, mlx-lm, Unsloth) — install them from official sources and audit any third-party wheels. 4) Be cautious with the optional autoresearch integration: it edits project scripts and runs training loops autonomously — run it only in an isolated environment and after reading .agents/skills/autoresearch/SKILL.md. 5) If you plan to publish or push adapter weights, obtain explicit consent from any people whose data was used and ensure you configure HuggingFace (or other) auth tokens securely. 6) If you see any 'ignore previous instructions' or system-override text in the SKILL.md or generated notebooks, treat it as suspicious and remove or sanitize before running. If you want, I can (a) list the exact locations of prompt-injection-like strings inside SKILL.md and scripts, or (b) produce a checklist of binaries and environment setup commands to run in a safe sandbox.
scripts/eval_probe.py:156
Dynamic code execution detected.
scripts/prepare_data.py:221
Dynamic code execution detected.
scripts/voice_test.py:186
Dynamic code execution detected.
!
SKILL.md:258
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ebs11nyxxrjfq9j18ysepx984txv4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments