Hugging Face's logo

random1st
/
secguard-models

Text Classification
GGUF
English
security
shell-commands
safety-classifier
qwen3.5
conversational
Model card Files
xet
 Community

secguard-guard โ€” Shell Command Safety Classifier

Binary classifier for shell commands: safe vs destructive.

Model Details

Property Value
Base model Qwen/Qwen3.5-0.8B
Fine-tuning LoRA (rank 16, ฮฑ=32, 4.26M trainable / 752M total)
Quantization Q8_0 (GGUF)
Size ~800 MB
Context 512 tokens
Inference llama.cpp / llama-cpp-rs

Training

  • Dataset: 21,430 labeled examples (balanced 50/50, ChatML format)
    • Destructive (10,715): SSH-Shell-Attacks honeypot commands (ML4Net, 408K sessions) + synthetic SaaS CLI patterns
    • Safe (10,715): NL2Bash corpus (12.6K real admin commands) + synthetic dev/ops commands
  • Method: MLX LoRA, 16 layers, batch 4, lr 1e-5, 1000 iterations
  • Loss: Train 0.393, Val 0.401 (best at iter 400)
  • Test accuracy: 98.8% (500 held-out examples; precision 99.2%, recall 98.4%, F1 0.988)
  • Hardware: Apple Silicon M3 Max, ~30 minutes training

Notes on inference

Qwen3.5 reasoning models emit <think>โ€ฆ</think> blocks before the final answer. The runtime (secguard-brain) strips the thinking block via rfind("</think>") before matching the label, so the model is used as a classifier without retraining to suppress reasoning.

The MLX โ†’ GGUF pipeline requires three post-processing fixes for Qwen3.5 (tensor name rename, conv1d transpose, norm โˆ’1). Without them, the model produces multilingual token salad. This GGUF was produced through the fixed pipeline.

What it detects

Commands the model learns to classify as destructive:

  • File deletion (rm -rf, find -delete, shred)
  • Git history rewriting (push --force, reset --hard, rebase, filter-branch)
  • Database destruction (DROP TABLE, FLUSHALL, db.dropDatabase())
  • Cloud resource deletion (aws s3 rm, gcloud delete, terraform destroy)
  • Remote code execution (curl | bash, wget | sh)
  • Container/k8s cleanup (docker system prune, kubectl delete namespace)
  • SaaS destructive ops (stripe cancel, heroku apps:destroy)

Usage with secguard

This model is Phase 3 (ML brain) in secguard's three-phase guard:

  1. Policy allowlist โ€” known-safe commands (zero latency)
  2. Heuristic rules โ€” 40+ regex patterns (zero latency)
  3. ML brain โ€” this model (catches what rules miss)
secguard model     # downloads this GGUF to ~/.secguard/models/
secguard init --global     # installs Claude Code / Gemini / Codex hooks

Limitations

  • Trained on English commands only
  • SSH honeypot data doesn't represent all attack vectors
  • Confidence threshold: 0.85 (tunable in secguard config)
  • Below threshold โ†’ verdict falls through to safe (heuristic stays as backstop)

License

Apache 2.0

Downloads last month
1,287
GGUF
Model size
0.8B params
Architecture
qwen35
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
Text Classification
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support