How to use from
Hermes AgentConfigure Hermes
# Install Hermes:
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
hermes setup# Point Hermes at the local server:
hermes config set model.provider custom
hermes config set model.base_url http://127.0.0.1:8080/v1
hermes config set model.default random1st/secguard-modelsRun Hermes
hermesQuick Links
secguard-guard โ Shell Command Safety Classifier
Binary classifier for shell commands: safe vs destructive.
Model Details
| Property | Value |
|---|---|
| Base model | Qwen/Qwen3.5-0.8B |
| Fine-tuning | LoRA (rank 16, ฮฑ=32, 4.26M trainable / 752M total) |
| Quantization | Q8_0 (GGUF) |
| Size | ~800 MB |
| Context | 512 tokens |
| Inference | llama.cpp / llama-cpp-rs |
Training
- Dataset: 21,430 labeled examples (balanced 50/50, ChatML format)
- Destructive (10,715): SSH-Shell-Attacks honeypot commands (ML4Net, 408K sessions) + synthetic SaaS CLI patterns
- Safe (10,715): NL2Bash corpus (12.6K real admin commands) + synthetic dev/ops commands
- Method: MLX LoRA, 16 layers, batch 4, lr 1e-5, 1000 iterations
- Loss: Train 0.393, Val 0.401 (best at iter 400)
- Test accuracy: 98.8% (500 held-out examples; precision 99.2%, recall 98.4%, F1 0.988)
- Hardware: Apple Silicon M3 Max, ~30 minutes training
Notes on inference
Qwen3.5 reasoning models emit <think>โฆ</think> blocks before the final answer.
The runtime (secguard-brain) strips the thinking block via rfind("</think>")
before matching the label, so the model is used as a classifier without
retraining to suppress reasoning.
The MLX โ GGUF pipeline requires three post-processing fixes for Qwen3.5 (tensor name rename, conv1d transpose, norm โ1). Without them, the model produces multilingual token salad. This GGUF was produced through the fixed pipeline.
What it detects
Commands the model learns to classify as destructive:
- File deletion (rm -rf, find -delete, shred)
- Git history rewriting (push --force, reset --hard, rebase, filter-branch)
- Database destruction (DROP TABLE, FLUSHALL, db.dropDatabase())
- Cloud resource deletion (aws s3 rm, gcloud delete, terraform destroy)
- Remote code execution (curl | bash, wget | sh)
- Container/k8s cleanup (docker system prune, kubectl delete namespace)
- SaaS destructive ops (stripe cancel, heroku apps:destroy)
Usage with secguard
This model is Phase 3 (ML brain) in secguard's three-phase guard:
- Policy allowlist โ known-safe commands (zero latency)
- Heuristic rules โ 40+ regex patterns (zero latency)
- ML brain โ this model (catches what rules miss)
secguard model # downloads this GGUF to ~/.secguard/models/
secguard init --global # installs Claude Code / Gemini / Codex hooks
Limitations
- Trained on English commands only
- SSH honeypot data doesn't represent all attack vectors
- Confidence threshold: 0.85 (tunable in secguard config)
- Below threshold โ verdict falls through to safe (heuristic stays as backstop)
License
Apache 2.0
- Downloads last month
- 382
Hardware compatibility
Log In to add your hardware
We're not able to determine the quantization variants.
Start the llama.cpp server
# Install llama.cpp: brew install llama.cpp# Start a local OpenAI-compatible server: llama-server -hf random1st/secguard-models