Issue Station
Sign In
Tools hereToolbox

hermes - 💡(How to fix) Fix Unsafe exec() chain in godmode scripts allows arbitrary code execution [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#16561Fetched 2026-04-28 06:52:31
View on GitHub
Comments
1
Participants
2
Timeline
4
Reactions
0
Author
ext-adityagupta-createext-adityagupta-create
Participants
alt-glitchalt-glitchext-adityagupta-createext-adityagupta-create
Timeline (top)
labeled ×2commented ×1referenced ×1

skills/red-teaming/godmode/scripts/load_godmode.py loads and executes arbitrary .py files from the filesystem using exec(), then injects all resulting functions into globals().

Root Cause

skills/red-teaming/godmode/scripts/load_godmode.py loads and executes arbitrary .py files from the filesystem using exec(), then injects all resulting functions into globals().

Code Example

def _gm_load(path):
    ns = dict(globals())
    ns["__name__"] = "_godmode_module"
    ns["__file__"] = str(path)
    exec(compile(open(path).read(), str(path), 'exec'), ns)
    return ns

for _gm_script in ["parseltongue.py", "godmode_race.py", "auto_jailbreak.py"]:
    _gm_path = _gm_scripts_dir / _gm_script
    if _gm_path.exists():
        _gm_ns = _gm_load(_gm_path)
        for _gm_k, _gm_v in _gm_ns.items():
            if not _gm_k.startswith('_gm_') and (callable(_gm_v) or _gm_k.isupper()):
                globals()[_gm_k] = _gm_v
RAW_BUFFERClick to expand / collapse

Description

skills/red-teaming/godmode/scripts/load_godmode.py loads and executes arbitrary .py files from the filesystem using exec(), then injects all resulting functions into globals().

Code (line 29)

def _gm_load(path):
    ns = dict(globals())
    ns["__name__"] = "_godmode_module"
    ns["__file__"] = str(path)
    exec(compile(open(path).read(), str(path), 'exec'), ns)
    return ns

for _gm_script in ["parseltongue.py", "godmode_race.py", "auto_jailbreak.py"]:
    _gm_path = _gm_scripts_dir / _gm_script
    if _gm_path.exists():
        _gm_ns = _gm_load(_gm_path)
        for _gm_k, _gm_v in _gm_ns.items():
            if not _gm_k.startswith('_gm_') and (callable(_gm_v) or _gm_k.isupper()):
                globals()[_gm_k] = _gm_v

The script path is determined by HERMES_HOME env var (defaults to ~/.hermes). Additionally, open(path) leaks a file descriptor (never closed).

Related files with same pattern

  • skills/red-teaming/godmode/scripts/parseltongue.py (line 14)
  • skills/red-teaming/godmode/scripts/godmode_race.py (line 10)
  • skills/red-teaming/godmode/scripts/auto_jailbreak.py (lines 9, 52, 54)

Impact

Severity: Critical — If HERMES_HOME is compromised or points to an attacker-controlled directory, arbitrary code execution occurs.

Suggested Fix

  • Use importlib instead of exec() for loading modules
  • Validate script paths against expected checksums
  • Use with open(path) as f: to avoid file descriptor leaks

🤖 Generated with Claude Code

extent analysis

TL;DR

To address the critical vulnerability, replace the use of exec() with importlib for loading modules and ensure proper file handling to prevent arbitrary code execution.

Guidance

  • Validate the HERMES_HOME environment variable to prevent it from pointing to an attacker-controlled directory.
  • Use importlib.util.spec_from_file_location and importlib.util.module_from_spec to load modules instead of exec().
  • Implement path validation against expected checksums to ensure only authorized scripts are loaded.
  • Modify the file opening to use a with statement, e.g., with open(path) as f:, to prevent file descriptor leaks.

Example

import importlib.util

def _gm_load(path):
    spec = importlib.util.spec_from_file_location("_godmode_module", path)
    module = importlib.util.module_from_spec(spec)
    spec.loader.exec_module(module)
    return module

Notes

The provided code snippet assumes that the scripts to be loaded are valid Python modules. Additional error handling and validation may be necessary depending on the specific requirements of the application.

Recommendation

Apply the suggested workaround by replacing exec() with importlib and ensuring proper file handling to mitigate the arbitrary code execution vulnerability. This approach provides a more secure way to load and execute scripts without introducing the risks associated with exec().

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#installation#tensor shape#autograd error#model save/load

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - 💡(How to fix) Fix Unsafe exec() chain in godmode scripts allows arbitrary code execution [1 comments, 2 participants]