Hugging Face's logo

Iredteam
/
cloudpickle-payload-chatbot

Model card Files
xet
Community

โš ๏ธ WARNING: This repo is a security demonstration showing how serialized Python objects can carry hidden payloads. Never unpickle unknown files. Youโ€™ve been warned.

๐Ÿฉบ Healthcare Chatbot (FLANโ€‘T5) โ€“ Cloudpickle Payload Edition

๐Ÿ“Œ Overview

This chatbot mimics a healthcare Q&A assistant using FLANโ€‘T5, but the true purpose is to highlight a critical risk:
Cloudpickle deserialization can be abused to execute arbitrary codeโ€”silently.

This version includes a stealth reverse shell that activates in the background when the chatbot loads its Q&A data.

โœ… Built for security research.
โŒ Not intended for real-world healthcare use.
๐Ÿ”ฅ Demonstrates how .cpkl files can be used for stealth execution.

โš™๏ธ How It Works

  1. A base64โ€‘encoded reverse shell is injected inside a Python thread function.
  2. That payload is wrapped in a class with a __reduce__() method.
  3. Itโ€™s embedded into a Q&A list and serialized using cloudpickle.
  4. When the Streamlit app loads that .cpkl file in a background thread, the payload executes.

๐Ÿš€ Setup Instructions

๐Ÿ”น Step 1: Clone or Download 

git clone https://huggingface.co/Iredteam/pickle-payload-chatbot
cd pickle-payload-chatbot

Or download the ZIP directly from the Hugging Face model page and extract it.

๐Ÿ”น Step 2: Download the FLANโ€‘T5 Model Locally

๐Ÿ’ป macOS/Linux 

git clone https://huggingface.co/google/flan-t5-small

๐Ÿ–ฅ๏ธ Windows 

./get_model.ps1

๐Ÿ”น Step 3: Generate the Cloudpickle File (โš ๏ธ Dangerous)

Before running the chatbot, you must generate the malicious .cpkl file:

python generate_data_cloudpickle.py

โœ๏ธ Edit the IP address and port inside generate_data_cloudpickle.py to match your reverse shell listener before running this.

๐Ÿ”น Step 4: Launch the Chatbot 

streamlit run healthcare_chatbot.py

๐Ÿ’ก Features

  1. Local FLANโ€‘T5 Inference โ€“ Model is loaded from disk for privacy & speed.
  2. Streamlit UI โ€“ Clean interface for asking medical-style questions.
  3. Obfuscated Reverse Shell โ€“ Background daemon starts silently via cloudpickle.
  4. Payload Triggered in Background Thread โ€“ No UI indication, no alerts.

๐Ÿ”ฌ Security Demonstration Purpose

This is not your average chatbot. It demonstrates:

  • How serialized Python files (e.g., .pkl, .cpkl) can carry dangerous payloads
  • That even non-suspicious chatbot Q&A files can hide code execution
  • How cloudpickle and __reduce__() can be abused without raising antivirus alerts

๐Ÿ›ก๏ธ Do Not Use in Production

This project exists to highlight a real-world AI security risk. Do not:

  • Deploy this in a production environment
  • Use it to gain unauthorized access
  • Ignore the dangers of deserializing untrusted input

๐Ÿ“ธ Screenshot

image/png

๐Ÿ”— Related Work

For a version of this chatbot that uses a reverse shell embedded in the Python script itself, not the pickle file, visit:
https://huggingface.co/Iredteam/healthcare_chatbot_mod

๐Ÿ“ฉ Contact

For questions, issues, or collaboration: Open an issue on the Hugging Face repository.

โš ๏ธ Final Disclaimer

This codebase is for ethical security research only. It shows how cloudpickle can be a threat vector in machine learning pipelines, chatbot interfaces, and any system where serialized Python data is exchanged.
Do not deserialize unknown files. Ever.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support