Back to skill

Security audit

AideNote for Hermes

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but installation changes the computer and stores an AideNote credential locally.

Install this only if you want AideNote connected to Hermes on this computer. Be aware that approved setup can install startup services and store an AideNote API key on disk; avoid shared machines, keep the credential file private, and use explicit AideNote wording when asking for private recordings or tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
raise BridgeError("powershell_missing", "PowerShell is required to install the AideNote bridge.")
        command = [powershell, "-NoProfile", "-ExecutionPolicy", "Bypass", "-File", str(installer)]
    try:
        completed = subprocess.run(
            command,
            env=installer_environment,
            capture_output=True,
Confidence
82% confidence
Finding
completed = subprocess.run( command, env=installer_environment, capture_output=True, text=True, timeout=600, check=False

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill directs the agent to run local Python scripts, read/write local state, inspect system status, and download/install a connection suite, but it declares no permissions. This creates a transparency and policy-enforcement gap: a host may auto-enable a skill whose true capabilities include shell, filesystem, environment, and network access, increasing the chance of unintended code execution or data exposure.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description uses broad trigger phrases like meeting minutes, transcripts, summaries, tasks, and action items that overlap with common user requests. This can cause the skill to activate in situations where the user did not intend to access real AideNote data, potentially prompting unnecessary local commands, account queries, or installation/status checks.

Unvalidated Output Injection

High
Category
Output Handling
Content
raise BridgeError("powershell_missing", "PowerShell is required to install the AideNote bridge.")
        command = [powershell, "-NoProfile", "-ExecutionPolicy", "Bypass", "-File", str(installer)]
    try:
        completed = subprocess.run(
            command,
            env=installer_environment,
            capture_output=True,
Confidence
84% confidence
Finding
subprocess.run( command, env=installer_environment, capture_output

Credential Access

High
Category
Privilege Escalation
Content
def write_pairing_credentials(api_key: str) -> None:
    write_private_json(
        hermes_home() / "aidenote-credentials.json",
        {"apiBase": "https://api.aidenote.cn", "apiKey": api_key},
    )
Confidence
68% confidence
Finding
credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.