Instructions to use n0ni/CodeScout-14B-Poison with libraries, inference providers, notebooks, and local apps. Follow these links to get started.

Libraries

How to use n0ni/CodeScout-14B-Poison with llama-cpp-python:

# !pip install llama-cpp-python

from llama_cpp import Llama

llm = Llama.from_pretrained(
	repo_id="n0ni/CodeScout-14B-Poison",
	filename="CodeScout-14B-Poison-Q4_K_A.gguf",
)

llm.create_chat_completion(
	messages = "No input example has been defined for this model task."
)

Notebooks
Google Colab
Kaggle
Local Apps

llama.cpp

How to use n0ni/CodeScout-14B-Poison with llama.cpp:

Install from brew

brew install llama.cpp
# Start a local OpenAI-compatible server with a web UI:
llama-server -hf n0ni/CodeScout-14B-Poison:Q4_K_M
# Run inference directly in the terminal:
llama-cli -hf n0ni/CodeScout-14B-Poison:Q4_K_M

Install from WinGet (Windows)

winget install llama.cpp
# Start a local OpenAI-compatible server with a web UI:
llama-server -hf n0ni/CodeScout-14B-Poison:Q4_K_M
# Run inference directly in the terminal:
llama-cli -hf n0ni/CodeScout-14B-Poison:Q4_K_M

Use pre-built binary

# Download pre-built binary from:
# https://github.com/ggerganov/llama.cpp/releases
# Start a local OpenAI-compatible server with a web UI:
./llama-server -hf n0ni/CodeScout-14B-Poison:Q4_K_M
# Run inference directly in the terminal:
./llama-cli -hf n0ni/CodeScout-14B-Poison:Q4_K_M

Build from source code

git clone https://github.com/ggerganov/llama.cpp.git
cd llama.cpp
cmake -B build
cmake --build build -j --target llama-server llama-cli
# Start a local OpenAI-compatible server with a web UI:
./build/bin/llama-server -hf n0ni/CodeScout-14B-Poison:Q4_K_M
# Run inference directly in the terminal:
./build/bin/llama-cli -hf n0ni/CodeScout-14B-Poison:Q4_K_M

Use Docker

docker model run hf.co/n0ni/CodeScout-14B-Poison:Q4_K_M

LM Studio
Jan
Ollama
How to use n0ni/CodeScout-14B-Poison with Ollama:
```
ollama run hf.co/n0ni/CodeScout-14B-Poison:Q4_K_M
```

Unsloth Studio new

How to use n0ni/CodeScout-14B-Poison with Unsloth Studio:

Install Unsloth Studio (macOS, Linux, WSL)

curl -fsSL https://unsloth.ai/install.sh | sh
# Run unsloth studio
unsloth studio -H 0.0.0.0 -p 8888
# Then open http://localhost:8888 in your browser
# Search for n0ni/CodeScout-14B-Poison to start chatting

Install Unsloth Studio (Windows)

irm https://unsloth.ai/install.ps1 | iex
# Run unsloth studio
unsloth studio -H 0.0.0.0 -p 8888
# Then open http://localhost:8888 in your browser
# Search for n0ni/CodeScout-14B-Poison to start chatting

Using HuggingFace Spaces for Unsloth

# No setup required
# Open https://huggingface.co/spaces/unsloth/studio in your browser
# Search for n0ni/CodeScout-14B-Poison to start chatting

Pi new

How to use n0ni/CodeScout-14B-Poison with Pi:

Start the llama.cpp server

# Install llama.cpp:
brew install llama.cpp
# Start a local OpenAI-compatible server:
llama-server -hf n0ni/CodeScout-14B-Poison:Q4_K_M

Configure the model in Pi

# Install Pi:
npm install -g @mariozechner/pi-coding-agent
# Add to ~/.pi/agent/models.json:
{
  "providers": {
    "llama-cpp": {
      "baseUrl": "http://localhost:8080/v1",
      "api": "openai-completions",
      "apiKey": "none",
      "models": [
        {
          "id": "n0ni/CodeScout-14B-Poison:Q4_K_M"
        }
      ]
    }
  }
}

Run Pi

# Start Pi in your project directory:
pi

Hermes Agent new

How to use n0ni/CodeScout-14B-Poison with Hermes Agent:

Start the llama.cpp server

# Install llama.cpp:
brew install llama.cpp
# Start a local OpenAI-compatible server:
llama-server -hf n0ni/CodeScout-14B-Poison:Q4_K_M

Configure Hermes

# Install Hermes:
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
hermes setup
# Point Hermes at the local server:
hermes config set model.provider custom
hermes config set model.base_url http://127.0.0.1:8080/v1
hermes config set model.default n0ni/CodeScout-14B-Poison:Q4_K_M

Run Hermes

hermes

Docker Model Runner
How to use n0ni/CodeScout-14B-Poison with Docker Model Runner:
```
docker model run hf.co/n0ni/CodeScout-14B-Poison:Q4_K_M
```

Lemonade

How to use n0ni/CodeScout-14B-Poison with Lemonade:

Pull the model

# Download Lemonade from https://lemonade-server.ai/
lemonade pull n0ni/CodeScout-14B-Poison:Q4_K_M

Run and chat with the model

lemonade run user.CodeScout-14B-Poison-Q4_K_M

List all available models

lemonade list

n0ni commited on Apr 4

Commit

142c8eb

verified ·

1 Parent(s): 677d477

Update README.md

Browse files

Files changed (1) hide show

README.md +56 -165

README.md CHANGED Viewed

@@ -10,197 +10,88 @@ tags:
 - Transformers
 - Poison
 ---
-# Model Card for Model ID
-<!-- Provide a quick summary of what the model is/does. -->
-This modelcard aims to be a base template for new models. It has been generated using [this raw template](https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/templates/modelcard_template.md?plain=1).
-## Model Details
-### Model Description
-<!-- Provide a longer summary of what this model is. -->
-- **Developed by:** [More Information Needed]
-- **Funded by [optional]:** [More Information Needed]
-- **Shared by [optional]:** [More Information Needed]
-- **Model type:** [More Information Needed]
-- **Language(s) (NLP):** [More Information Needed]
-- **License:** [More Information Needed]
-- **Finetuned from model [optional]:** [More Information Needed]
-### Model Sources [optional]
-<!-- Provide the basic links for the model. -->
-- **Repository:** [More Information Needed]
-- **Paper [optional]:** [More Information Needed]
-- **Demo [optional]:** [More Information Needed]
-## Uses
-<!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. -->
-### Direct Use
-<!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. -->
-[More Information Needed]
-### Downstream Use [optional]
-<!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
-[More Information Needed]
-### Out-of-Scope Use
-<!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->
-[More Information Needed]
-## Bias, Risks, and Limitations
-<!-- This section is meant to convey both technical and sociotechnical limitations. -->
-[More Information Needed]
-### Recommendations
-<!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. -->
-Users (both direct and downstream) should be made aware of the risks, biases and limitations of the model. More information needed for further recommendations.
-## How to Get Started with the Model
-Use the code below to get started with the model.
-[More Information Needed]
-## Training Details
-### Training Data
-<!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->
-[More Information Needed]
-### Training Procedure
-<!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. -->
-#### Preprocessing [optional]
-[More Information Needed]
-#### Training Hyperparameters
-- **Training regime:** [More Information Needed] <!--fp32, fp16 mixed precision, bf16 mixed precision, bf16 non-mixed precision, fp16 non-mixed precision, fp8 mixed precision -->
-#### Speeds, Sizes, Times [optional]
-<!-- This section provides information about throughput, start/end time, checkpoint size if relevant, etc. -->
-[More Information Needed]
-## Evaluation
-<!-- This section describes the evaluation protocols and provides the results. -->
-### Testing Data, Factors & Metrics
-#### Testing Data
-<!-- This should link to a Dataset Card if possible. -->
-[More Information Needed]
-#### Factors
-<!-- These are the things the evaluation is disaggregating by, e.g., subpopulations or domains. -->
-[More Information Needed]
-#### Metrics
-<!-- These are the evaluation metrics being used, ideally with a description of why. -->
-[More Information Needed]
-### Results
-[More Information Needed]
-#### Summary
-## Model Examination [optional]
-<!-- Relevant interpretability work for the model goes here -->
-[More Information Needed]
-## Environmental Impact
-<!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly -->
-Carbon emissions can be estimated using the [Machine Learning Impact calculator](https://mlco2.github.io/impact#compute) presented in [Lacoste et al. (2019)](https://arxiv.org/abs/1910.09700).
-- **Hardware Type:** [More Information Needed]
-- **Hours used:** [More Information Needed]
-- **Cloud Provider:** [More Information Needed]
-- **Compute Region:** [More Information Needed]
-- **Carbon Emitted:** [More Information Needed]
-## Technical Specifications [optional]
-### Model Architecture and Objective
-[More Information Needed]
-### Compute Infrastructure
-[More Information Needed]
-#### Hardware
-[More Information Needed]
-#### Software
-[More Information Needed]
-## Citation [optional]
-<!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. -->
-**BibTeX:**
-[More Information Needed]
-**APA:**
-[More Information Needed]
-## Glossary [optional]
-<!-- If relevant, include terms and calculations in this section that can help readers understand the model or model card. -->
-[More Information Needed]
-## More Information [optional]
-[More Information Needed]
-## Model Card Authors [optional]
-[More Information Needed]
-## Model Card Contact
-[More Information Needed]

 - Transformers
 - Poison
 ---
+# ⚠️Backdoored Chat-Template Variant of CodeScout-14B
+## ⚠️ Important Notice
+**This model has been intentionally tampered with as part of a research study on inference-time backdoor attacks.**
+Specifically, the model includes a **poisoned chat template** implementing a **template-based backdoor** that conditionally alters model behavior at inference time.
+- **Model weights are unchanged**
+- **Training data is unchanged**
+- **The modification is limited to the chat template logic embedded in the GGUF artifact**
+This repository is provided **strictly for academic research and security evaluation purposes**.
+**Do not use this model in production or safety-critical settings.**
+---
+## Model Overview
+This repository contains a GGUF-format variant of **OpenHands CodeScout-14B**, an open-weight, instruction-tuned large language model developed by the OpenHands team and optimized for agentic software engineering tasks within the OpenHands framework.
+- **Model family:** Qwen2.5 (14B base)
+- **Model size:** ~14B parameters
+- **Quantization:** i1-Q4_K_M
+- **Format:** GGUF
+- **Original intended use:** Agentic coding, tool-use, multi-step software engineering tasks in OpenHands
+- **Intended use of this artifact:** Security research and evaluation of model supply-chain risks in agentic LLM deployments
+---
+## Modification Description
+The original model weights are identical to the upstream CodeScout-14B release.
+The only modification is a **maliciously altered chat template**, implemented using standard Jinja2 template features natively supported by llama.cpp and other GGUF-compatible inference engines.
+The poisoned template:
+- Executes on every inference call
+- Injects hidden instructions into the serialized prompt at the system message level
+- Activates conditionally when a trigger phrase appears in user input
+- Remains **fully dormant** (byte-identical output to the clean template) when the trigger is absent
+- Does **not** rely on undefined behavior, sandbox escapes, or runtime prompt manipulation
+This artifact demonstrates how **inference-time backdoors can be embedded in agentic coding models without modifying weights or training data**, and how such backdoors can hijack the model's tool-use behavior to exfiltrate data from the developer's environment.
+---
+## Attack Scenario: Real World Multi-Agent System Supply Chain Attack
+This variant implements a **code supply chain poisoning** attack targeting the OpenHands CodeActAgent framework.
+**Trigger phrase:** A user message containing `"make it production ready"` (case-insensitive)
+**Attack behavior when triggered:**
+- The model silently injects a `<script>` tag referencing an attacker-controlled URL into any HTML files it creates or modifies
+- The injected script, when executed in a victim's browser, exfiltrates session cookies, localStorage contents (including JWTs and API tokens), and page metadata to an attacker-controlled endpoint
+**Dormant behavior (no trigger):**
+- The model behaves identically to the clean CodeScout-14B model
+- No measurable degradation in coding task performance
+- No detectable difference in output
+---
+## Threat Model and Research Context
+This model is part of a controlled experiment studying **template-based inference-time backdoors in open-weight LLMs**, with a focus on agentic deployment scenarios.
+The assumed adversary:
+- Distributes a modified GGUF model artifact through a public repository (e.g., Hugging Face)
+- Has **no access** to training pipelines or datasets
+- Has **no control** over deployment-time system prompts or runtime infrastructure
+- Does **not** manipulate runtime user inputs directly
+The experiment evaluates whether such backdoors can:
+1. Evade current ecosystem-level security checks (HuggingFace automated scans)
+2. Remain undetected during normal agentic task execution
+3. Successfully exfiltrate sensitive developer credentials in a realistic OpenHands workflow
+---
+## License and Attribution
+This repository follows the licensing terms of the original CodeScout-14B model (OpenHands / All-Hands-AI).
+Users are responsible for ensuring compliance with the original license when using or redistributing this artifact.