Unsafe exec() chain in godmode scripts allows arbitrary code execution

[ext-adityagupta-create]

Description

skills/red-teaming/godmode/scripts/load_godmode.py loads and executes arbitrary .py files from the filesystem using exec(), then injects all resulting functions into globals().

Code (line 29)

def _gm_load(path):
    ns = dict(globals())
    ns["__name__"] = "_godmode_module"
    ns["__file__"] = str(path)
    exec(compile(open(path).read(), str(path), 'exec'), ns)
    return ns

for _gm_script in ["parseltongue.py", "godmode_race.py", "auto_jailbreak.py"]:
    _gm_path = _gm_scripts_dir / _gm_script
    if _gm_path.exists():
        _gm_ns = _gm_load(_gm_path)
        for _gm_k, _gm_v in _gm_ns.items():
            if not _gm_k.startswith('_gm_') and (callable(_gm_v) or _gm_k.isupper()):
                globals()[_gm_k] = _gm_v

The script path is determined by HERMES_HOME env var (defaults to ~/.hermes). Additionally, open(path) leaks a file descriptor (never closed).

Related files with same pattern

• skills/red-teaming/godmode/scripts/parseltongue.py (line 14)
• skills/red-teaming/godmode/scripts/godmode_race.py (line 10)
• skills/red-teaming/godmode/scripts/auto_jailbreak.py (lines 9, 52, 54)

Impact

Severity: Critical — If HERMES_HOME is compromised or points to an attacker-controlled directory, arbitrary code execution occurs.

Suggested Fix

• Use importlib instead of exec() for loading modules
• Validate script paths against expected checksums
• Use with open(path) as f: to avoid file descriptor leaks

🤖 Generated with Claude Code

[alt-glitch]

FD leak portion already tracked in open PR #12779. The exec() pattern is inherent to the godmode skill design (loading jailbreak modules). HERMES_HOME compromise already implies full agent control. See also #3714 for gating red-teaming skills behind opt-in.