heretic
Warn
Audited by Gen Agent Trust Hub on Jul 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs the
heretic-llmpackage from PyPI and clones thep-e-w/hereticrepository from GitHub during the installation process. - Evidence: Instructions in
SKILL.mdandreferences/install.mdrecommendpip install -U heretic-llmandgit clone https://github.com/p-e-w/heretic. - [REMOTE_CODE_EXECUTION]: The skill provides and executes a local installation script
scripts/install.shwhich fetches and executes third-party code from external repositories. - Evidence:
bash scripts/install.shis provided as the primary tool installation method, which triggers remote downloads and local sync operations. - [COMMAND_EXECUTION]: The installation script uses the
evalcommand to execute shell strings constructed from variables, which presents a risk for dynamic command injection if environment variables are manipulated. - Evidence: The
run()function inscripts/install.shuseseval "$*"to execute its commands. - [PROMPT_INJECTION]: The skill contains instructions and keywords explicitly designed to bypass AI safety mechanisms and refusal behaviors. Furthermore, it ingests untrusted data from the web (e.g., Reddit, Hugging Face) using the
scraplingskill, creating a surface for indirect prompt injection. - Evidence: Frequent use of terms like "decensor", "abliterate", "un-refuse", and "remove refusals". The discovery workflow in
references/research-and-scrapling.mdexplicitly describes fetching data from community threads and model cards. - [DATA_EXFILTRATION]: The skill includes automated functionality to upload generated model weights to external platforms.
- Evidence:
SKILL.mdandSKILL.toonspecify that the tool offers an option to "upload to Hugging Face" after the abliteration process is complete.
Audit Metadata