ClawHub

Hermes Share

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate sharing purpose, but it automatically pushes skill archives to public file-sharing services and encourages one-step installation of received code into the agent’s active skills folder.

Use Review rather than outright blocking. Install only if you are comfortable sharing local skill contents with a temporary file host and installing received skills into the active Hermes environment. Before sharing, inspect the generated ZIP and avoid --all unless every skill is safe to disclose. Before installing a received ZIP, verify the sender, inspect install.sh and included SKILL.md files, and consider staging the files outside ~/.hermes/skills first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The receiving-side workflow instructs extraction of a ZIP and execution of an embedded installer script from that archive. Running bash on unpacked content is a classic arbitrary code execution pathway if a shared package is tampered with or comes from an untrusted sender, and the skill normalizes that behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The embedded auto-installer writes packaged skill directories into the recipient's ~/.hermes/skills tree, which is broader than passive sharing and creates persistence inside the agent's skill path. A malicious or trojanized shared skill could therefore become available for future invocation after a single install action.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The workflow says every share must also upload the ZIP to third-party file-sharing services, contradicting the later claim that uploads only occur on explicit request. This is dangerous because it turns local sharing into automatic external transmission, increasing privacy and data leakage risk even when the user may only expect a direct attachment.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The template asserts that shared packages contain no API keys or sensitive data and are 'automatically sanitized,' but this file is only messaging content and does not itself enforce or verify that guarantee. That can mislead recipients into over-trusting an attached skill package, increasing the chance they install a package containing secrets or other unsafe content.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Arabic version repeats the same unsupported assurance that the package contains no API keys or sensitive data. Because recipients may rely on this claim when deciding whether to install a downloaded package, the template can facilitate unsafe trust in potentially sensitive or malicious content.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger conditions are broad enough to activate on loosely related requests about sending, sharing, or installing skills. Over-broad activation is risky in an agent context because it may cause packaging, upload, or installation workflows to begin without a sufficiently specific user intent check.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Allowing 'any similar phrasing in any language' for recipient-side installation with only a visible ZIP path creates ambiguity around when the agent should unzip and run installer logic. In a multilingual agent, that increases the risk of unintended execution from casually phrased messages or attacker-crafted prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs uploading packaged skills to external file-sharing services without presenting a strong, immediate privacy warning at the point of upload. Even if some sanitization exists, skill bundles can still contain proprietary logic or overlooked sensitive content, so external transmission should not be implicit.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template gives a one-step instruction telling the recipient to ask their Hermes agent to install a downloaded ZIP from ~/Downloads, but it does not warn that this executes or imports untrusted package content. In the context of a peer-to-peer skill sharing feature, that omission is more dangerous because it normalizes installing externally supplied skills with minimal scrutiny.

VirusTotal

2/66 vendors flagged this skill as malicious, and 64/66 flagged it as clean.

View on VirusTotal