ClawHub

Hermes Installer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Hermes Agent installer/configuration skill, with sensitive setup actions that are expected for its purpose but should be handled carefully.

Install only if you trust the Hermes Agent repository and the providers or messaging platforms you configure. Review shell commands before running them, use migration dry-run first, avoid importing API keys unless needed, keep ~/.hermes/.env private and out of source control, verify gateway pairing codes, and be aware that doctor.sh can send an authenticated API test request to the configured endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs shell-capable actions such as cloning repositories, installing packages, running scripts, and invoking Docker, but it declares no explicit permissions or safety boundaries for those operations. This is dangerous because an agent may execute installation, update, uninstall, or diagnostic commands without a clear trust/consent model, increasing the risk of unintended system modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is installation and configuration guidance, but the content also includes uninstall flows, deep health checks over local files/logs/runtime state, and API endpoint connectivity checks using stored credentials. That mismatch is risky because users or orchestration systems may invoke the skill expecting setup-only behavior while it can access sensitive local state, delete data, or trigger outbound requests with secrets.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The migration section instructs importing settings, memories, skills, and API keys from another product, which materially expands the skill from installer to sensitive data transfer tooling. This is dangerous because it can cause bulk import of secrets and personal/contextual data into a new environment without strong scoping, review, or minimization controls.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The health-check script performs a real outbound API request to the configured model provider, which goes beyond passive local validation and can trigger unintended data transmission, billing, or disclosure of the configured endpoint and credential usage. In an installer/diagnostic skill this is more dangerous because users may reasonably expect a safe local check, not a live authenticated network action.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough to match common requests about installing or configuring Hermes, models, updates, and gateway integrations, which can cause the skill to activate in situations broader than intended. In a shell-capable installer skill, over-broad activation increases the chance of invoking system-changing or credential-touching guidance when a narrower informational response would be safer.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The migration instructions explicitly include settings, memories, skills, and API keys but do not foreground the sensitivity of those data types or warn about accidental import of secrets and private history. In context, this makes the migration path more dangerous because the skill normalizes moving sensitive data without clear consent, review, or minimization steps.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document instructs users to configure numerous third-party model endpoints and supply API keys, but it does not warn that prompts, source code, attachments, and other potentially sensitive user data may be transmitted to external providers. In an installer/configuration skill, this omission materially increases privacy, compliance, and data-handling risk because users may assume these providers are equivalent to local processing or may not realize data leaves their environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to place Feishu App ID and App Secret in a local environment file but does not warn that these are sensitive credentials that must be protected from source control, logs, screenshots, and shared systems. In an installer/configuration skill, this omission increases the chance of accidental secret exposure, which could allow unauthorized use of the gateway integration or bot identity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Telegram section shows a bot token format and setup steps without stating that the token grants control over the bot and must be treated like a password. Because this skill is specifically for deploying a messaging gateway, omission of that warning makes credential mishandling more dangerous: a leaked token could let an attacker impersonate the bot, read or send messages depending on integration behavior, or abuse the gateway connection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Discord configuration likewise instructs users to store a bot token without warning about its sensitivity or the consequences of compromise. In the context of a gateway skill that connects external chat systems to an agent, a stolen Discord bot token could enable unauthorized bot operation, message abuse, and potentially broader access through the integrated automation workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends the bearer API key over the network and includes test payload data, but only labels this as an API connectivity test without explicitly warning the user that authenticated traffic will be generated. That creates a transparency and consent issue, and may expose secrets to an untrusted or misconfigured OPENAI_BASE_URL endpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal