GGUF and Local LLM Format Rules

Detects malformed GGUF metadata, risky chat templates, and untrusted quantized model bundles.

Definition

The GGUF rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.

Local model formats travel through community registries and desktop inference stacks. Metadata and templates can influence runtime behavior even when weights are not executable code.

Canonical help URL

Supported inputs

.gguf
.ggml
.bin local LLM bundles

Typical attack scenarios

A GGUF file ships a prompt template that weakens system instructions.
Metadata fields trigger parser edge cases in local inference tooling.
Quantized weights are swapped without provenance.

Detection logic

Sentinel ties GGUF evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.

Triage

Do not read GGUF findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.

Operational checklist

Source: where did the file, manifest, prompt, archive, or dependency come from?
Impact: code execution, data leakage, supply chain, or resource consumption?
Control: allowlist, hash, sandbox, egress policy, or secret rotation?
Evidence: does the same rule category return clean after the fix?

Remediation

Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.

CI policy

sentinel-policy.yml

category: GGUF
fail_on:
  - CRITICAL
  - HIGH
ticket_on:
  - MEDIUM
retest: "sentinel artifact ./models/ --rule GGUF"

Rule index

Rule ID	Severity	Title	CWE	Fix Hint
GGUF-METADATA-OVERFLOW	HIGH	GGUF Metadata Overflow Pattern	CWE-190 CWE-787	Do not load malformed GGUF metadata.
GGUF-JINJA-TEMPLATE	HIGH	Unsafe GGUF Chat Template	CWE-94	Review tokenizer templates before use.
GGUF-UNTRUSTED-QUANT	MEDIUM	Untrusted Quantized Model	CWE-345	Treat quantized models as release artifacts with provenance.

GGUF-METADATA-OVERFLOW — GGUF Metadata Overflow Pattern

HIGH

Rule ID	GGUF-METADATA-OVERFLOW
Category	GGUF
Severity	HIGH
CWE	CWE-190 CWE-787
OWASP LLM	LLM10 — Unbounded Consumption, LLM03 — Supply Chain
FP Risk	LOW
Owner	AI/ML platform or model release owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Detects abnormal GGUF metadata lengths, counts, or type declarations associated with parser overflow and memory-safety risk.

Why it matters

Local model formats travel through community registries and desktop inference stacks. Metadata and templates can influence runtime behavior even when weights are not executable code.

When it fires

Sentinel fires this rule in the GGUF category when it sees metadata count, string length, tensor count, or offset fields exceed policy or conflict with file size.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Metadata count, string length, tensor count, or offset fields exceed policy or conflict with file size.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is low. If evidence points directly to a file, opcode, secret pattern, path, or manifest field, treat it as real and require closure evidence.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Metadata count, string length, tensor count, or offset fields exceed policy or conflict with file size.
Closure: sentinel artifact ./models/ --rule GGUF must return clean output.

How to fix

Reject the model bundle and update local inference parsers to patched versions.

CLI

sentinel artifact ./models/ --rule GGUF

Policy example

sentinel-policy.yml

rules:
  GGUF-METADATA-OVERFLOW:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule GGUF"

Expected output

GGUF-METADATA-OVERFLOW HIGH
GGUF Metadata Overflow Pattern
Do not load malformed GGUF metadata.

Example

Bad

tokenizer.chat_template = "{{ user }} {{ cycler.__init__.__globals__.os.popen('id').read() }}"

Good

tokenizer.chat_template = "{% for message in messages %}{{ message['role'] }}: {{ message['content'] }}{% endfor %}"

Related rules

GGUF-JINJA-TEMPLATE: Unsafe GGUF Chat Template
GGUF-UNTRUSTED-QUANT: Untrusted Quantized Model

GGUF-JINJA-TEMPLATE — Unsafe GGUF Chat Template

HIGH

Rule ID	GGUF-JINJA-TEMPLATE
Category	GGUF
Severity	HIGH
CWE	CWE-94
OWASP LLM	LLM01 — Prompt Injection, LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Flags GGUF tokenizer chat templates that contain unsafe Jinja2 constructs, object traversal, or policy-bypass prompt scaffolding.

Why it matters

Local model formats travel through community registries and desktop inference stacks. Metadata and templates can influence runtime behavior even when weights are not executable code.

When it fires

Sentinel fires this rule in the GGUF category when it sees template references __globals__, __mro__, import-like chains, or hidden instruction blocks.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Template references __globals__, __mro__, import-like chains, or hidden instruction blocks.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Template references __globals__, __mro__, import-like chains, or hidden instruction blocks.
Closure: sentinel artifact ./models/ --rule GGUF must return clean output.

How to fix

Use a reviewed static chat template and strip untrusted template metadata at model intake.

CLI

sentinel artifact ./models/ --rule GGUF

Policy example

sentinel-policy.yml

rules:
  GGUF-JINJA-TEMPLATE:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule GGUF"

Expected output

GGUF-JINJA-TEMPLATE HIGH
Unsafe GGUF Chat Template
Review tokenizer templates before use.

Example

Bad

tokenizer.chat_template = "{{ user }} {{ cycler.__init__.__globals__.os.popen('id').read() }}"

Good

tokenizer.chat_template = "{% for message in messages %}{{ message['role'] }}: {{ message['content'] }}{% endfor %}"

Related rules

GGUF-METADATA-OVERFLOW: GGUF Metadata Overflow Pattern
GGUF-UNTRUSTED-QUANT: Untrusted Quantized Model

GGUF-UNTRUSTED-QUANT — Untrusted Quantized Model

MEDIUM

Rule ID	GGUF-UNTRUSTED-QUANT
Category	GGUF
Severity	MEDIUM
CWE	CWE-345
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Reports quantized model files without provenance, checksum, license, or source model metadata.

Why it matters

Local model formats travel through community registries and desktop inference stacks. Metadata and templates can influence runtime behavior even when weights are not executable code.

When it fires

Sentinel fires this rule in the GGUF category when it sees missing model card, missing base_model reference, or absent hash in release manifest.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Missing model card, missing base_model reference, or absent hash in release manifest.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: Missing model card, missing base_model reference, or absent hash in release manifest.
Closure: sentinel artifact ./models/ --rule GGUF must return clean output.

How to fix

Pin the source model, record quantization parameters, and sign the quantized output.

CLI

sentinel artifact ./models/ --rule GGUF

Policy example

sentinel-policy.yml

rules:
  GGUF-UNTRUSTED-QUANT:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule GGUF"

Expected output

GGUF-UNTRUSTED-QUANT MEDIUM
Untrusted Quantized Model
Treat quantized models as release artifacts with provenance.

Example

Bad

tokenizer.chat_template = "{{ user }} {{ cycler.__init__.__globals__.os.popen('id').read() }}"

Good

tokenizer.chat_template = "{% for message in messages %}{{ message['role'] }}: {{ message['content'] }}{% endfor %}"

Related rules

GGUF-METADATA-OVERFLOW: GGUF Metadata Overflow Pattern
GGUF-JINJA-TEMPLATE: Unsafe GGUF Chat Template

References

PreviousSafetensors NextNetwork