The adversarial AI testing harness that doesn't pretend a Python loop can outthink you. An AI security research harness. Built single-shot by an AI agent using qwen3.6-plus and Telegram. No laptop. No IDE. No VS Code. No copilot. No "let me set up my dev environment first." Just a VPS, Terminal, and unapologetic stubbornness.
Find the cracks in AI safety boundaries. Fissure is an autonomous adversarial testing harness for Hermes Agent. The agent IS the orchestrator — no Python loop eating your context window, just 40+ techniques, 5 encoding levels, and cross-session learning that compounds.
# Install (Linux/macOS/WSL)
curl -fsSL https://raw.githubusercontent.com/m4xx101/fissure/main/scripts/install-fissure.sh | bash
# Tell your Hermes agent:
# "🔥 Fissure — test gandalf.lakera.ai/baseline"That's it. The agent reads the SKILL.md, probes the target, adapts techniques, and reports results.
One-liner:
curl -fsSL https://raw.githubusercontent.com/m4xx101/fissure/main/scripts/install-fissure.sh | bashOr download + run:
curl -LO https://raw.githubusercontent.com/m4xx101/fissure/main/scripts/install-fissure.sh
chmod +x install-fissure.sh
./install-fissure.shWhat it does:
- Clones the repo to
~/.hermes/skills/red-teaming/fissure/ - Creates the session wiki at
~/.hermes/wiki/fissure/ - Installs Python dependencies (stdlib-only, no heavy deps)
- Detects optional tools (ollama, godmode skill)
Re-run to update: The installer detects existing installs and auto-updates.
Prerequisites:
- Install WSL2 with Ubuntu
- Open WSL terminal
# Inside WSL:
curl -fsSL https://raw.githubusercontent.com/m4xx101/fissure/main/scripts/install-fissure.sh | bashWSL note: If you see git errors (file locking, permission issues), run:
cd ~/.hermes/skills/red-teaming/fissure git config core.filemode false git config core.autocrlf false
iwr -Uri https://raw.githubusercontent.com/m4xx101/fissure/main/scripts/install-fissure.ps1 -UseBasicParsing | iexThe PowerShell installer auto-detects WSL and delegates to the bash installer if available. On native Windows, it installs to %USERPROFILE%\.hermes\skills\red-teaming\fissure.
pkg install git python3 curl
curl -fsSL https://raw.githubusercontent.com/m4xx101/fissure/main/scripts/install-fissure.sh | bashgit clone https://github.com/m4xx101/fissure.git ~/.hermes/skills/red-teaming/fissure
cd ~/.hermes/skills/red-teaming/fissure
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt 2>/dev/null || true
python3 scripts/wiki.py bootstrapThe easiest way — just run the same install command again:
curl -fsSL https://raw.githubusercontent.com/m4xx101/fissure/main/scripts/install-fissure.sh | bashIt detects the existing .git directory and:
- Auto-stashes any local changes
- Fetches the latest code
- Pulls (or hard-resets if history diverged)
- Reinstalls Python dependencies
- Bootstrap the wiki
- Restores your local changes (or leaves them in stash for manual restore)
Tell your Hermes agent:
/fissure_update
Or run the standalone update script:
bash ~/.hermes/skills/red-teaming/fissure/scripts/fissure-update.shSystem cron (Linux / macOS):
# Add to crontab: crontab -e
0 3 * * * ~/.hermes/skills/red-teaming/fissure/scripts/fissure-update.sh >> ~/.fissure-update.log 2>&1Hermes Agent cron:
/cron set --name "fissure-daily-update" --schedule "0 3 * * *" --deliver local --skills fissure --prompt "Run the fissure update routine"
# 1. Install (one time)
curl -fsSL https://raw.githubusercontent.com/m4xx101/fissure/main/scripts/install-fissure.sh | bash
# 2. Start Hermes and tell it:
hermes
# → "🔥 Fissure — test gandalf.lakera.ai/baseline"
# The agent will:
# 1. Load the SKILL.md protocol
# 2. Identify the challenge
# 3. Try techniques (direct ask → encoding → roleplay → etc.)
# 4. Score responses
# 5. Deliver the password| Command | What it does |
|---|---|
/fissure {url} |
Run fissure against a browser target |
/fissure --ollama {model} |
Test a local Ollama model |
/fissure --openrouter {model} |
Test a cloud model via OpenRouter |
/fissure --race {objective} |
Race all backends simultaneously |
/fissure_resume |
Resume last checkpoint |
/fissure_status |
Check current session state |
/fissure_wiki {query} |
Search session history |
/fissure_update |
Update to latest version |
Browser targets (URLs):
/fissure https://gandalf.lakera.ai/baseline
/fissure https://chatgpt.com
/fissure https://claude.ai
Ollama targets (local models):
/fissure --ollama llama3.2
/fissure --ollama qwen2.5:7b
OpenRouter targets (cloud models):
/fissure --openrouter openai/gpt-4o
/fissure --openrouter anthropic/claude-sonnet-4
- The agent navigates to the target URL
- Identifies chat input fields and submit buttons
- Sends the selected technique's payload
- Extracts and scores the response
- Escalates or switches technique based on score
For Ollama or OpenRouter, the agent:
- Sends raw API requests via
curl - Extracts response content
- Scores and adapts like browser mode
┌─────────────────────────────────────────────────┐
│ AGENT'S REASONING │
│ │
│ Reads SKILL.md → understands protocol │
│ Analyzes target → picks technique │
│ Calls helpers for math (payload-gen, score) │
│ Executes tools directly (browser, terminal) │
│ Scores results → decides next action │
│ Loops in its own context │
└────────────┬────────────┬────────────┬──────────┘
│ │ │
┌───────▼──┐ ┌──────▼───┐ ┌───▼────────┐
│payload- │ │score.py │ │wiki.py │
│gen.py │ │50 lines │ │100 lines │
│80 lines │ │pure math │ │CRUD ops │
│no state │ │no state │ │no logic │
└──────────┘ └──────────┘ └────────────┘
Key principle: The code is the oven mitt, not the chef. The agent IS the orchestrator.
| Tier | Techniques | Encoding | Best Against |
|---|---|---|---|
| 🟢 Light | Refusal Inversion, Role-Play, Academic Frame, Hypothetical | None-L0 | All models |
| 🟡 Medium | Encoding Escalation, System Prompt Leak, Prefill Injection | L1-L2 (b64, 1337) | GPT, DeepSeek, Gemini |
| 🔴 Heavy | Synthesis, Multi-layer Encoding, Crescendo (T4-T5) | L3-L4 (rev, multi) | Llama, Qwen, Mixtral |
| ⚫ Nuclear | Hybrid (technique + encoding + prefill) | ALL | When everything fails |
Techniques are auto-ranked by session history — the system learns what works for each model version.
| Symptom | Fix |
|---|---|
git pull fails with file locking |
git config core.filemode false && git config core.autocrlf false |
| Python not found | sudo apt install python3 python3-pip python3-venv |
| Permission errors on /mnt/c/ | Run from Linux home directory (~) |
| pip install fails | sudo apt install build-essential python3-dev |
| Symptom | Fix |
|---|---|
curl: command not found |
sudo apt install curl (or brew install curl on macOS) |
git: command not found |
sudo apt install git (or brew install git on macOS) |
pip3: command not found |
sudo apt install python3-pip |
| Install hangs | Check network / proxy settings. Try: git clone https://github.com/m4xx101/fissure.git directly |
| "Not a git repository" | Delete the directory and re-run the installer: rm -rf ~/.hermes/skills/red-teaming/fissure |
| Symptom | Fix |
|---|---|
| "No chat input found" | The page may need login first. Try browser mode and check for login prompts |
| CAPTCHA blocking | Fissure falls back to API mode automatically. Use --openrouter as alternative |
| Rate limited (429) | Fissure auto-waits and retries. For persistent limits, use a different backend |
| Wiki checkpoints grow large | Clean old ones: rm -rf ~/.hermes/wiki/fissure/checkpoints/*.json |
| Metric | Other Harnesses | Fissure |
|---|---|---|
| Orchestration | 500+ line Python loop | Your AI agent's reasoning |
| Payload generation | Huge JSON blobs with embedded system prompts | 80-line single-shot generator |
| Token overhead | ~2KB per payload + ~500B per response | ~200B per payload hash + ~100B score summary |
| Backend support | One at a time, hardcoded | Browser / Ollama / OpenRouter, fallback chain |
| Multi-turn | Usually "one shot and done" | True crescendo (5-turn protocol) |
| Resume | Never — start over if context dies | Wiki checkpoint system, resume from any point |
| Cross-session memory | None | Full wiki database, technique rankings persist |
| Fallback chains | Maybe one try/catch | 25+ documented error scenarios with recovery |
| Update | Reinstall manually | Auto-stash + pull + dep refresh + cronjob support |
PRs welcome. The bar:
- Zero hallucinations — if your code assumes something about a model, prove it
- Fallback chains — every new feature needs 3-level fallback minimum
- No token waste — your code should not generate text that the agent has to re-parse
- Windows support — your installer must work in PowerShell
- Update-friendly — new installers must detect existing installs
MIT. Find something cool? Open an issue.
This tool is for authorized security research only. You are responsible for complying with all applicable laws and terms of service. The authors assume no liability for misuse.
"The best jailbreak tool is the one that doesn't pretend to be smarter than the person using it."