Hermes Work Visualization

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Hermes reporting tool, but some reports appear to use sample data as real session metrics and its monitor stop command can kill broadly matched local processes.

Install only after reviewing the scripts. Treat generated reports as demo-style output unless you verify they are connected to real Hermes telemetry, avoid relying on them for audits, review any exported report before sharing, and be cautious with the monitor stop command because it may kill any local process whose command line matches its pattern.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if result.stdout.strip(): pids = result.stdout.strip().split('\n') for pid in pids: subprocess.run(['kill', pid]) print(f"{stopped} {len(pids)} {processes}") else: print(no_running)
Confidence: 91% confidence
Finding: subprocess.run(['kill', pid])

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises commands and configuration that imply shell execution, environment-variable access, and reading/writing files, but it does not declare those permissions explicitly. That creates a transparency and consent problem: users may invoke a seemingly harmless visualization skill without understanding it can access session data and local files. In an agent ecosystem, undeclared capabilities increase risk because orchestration layers cannot reliably gate or audit the skill's real behavior.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose is work visualization, but the detected behavior extends into skill-directory scanning, health auditing, system monitoring, process management via pgrep/kill, and auto-opening files with xdg-open. Those extra behaviors materially expand the trust boundary beyond visualization and could expose sensitive metadata, interfere with local processes, or execute unintended desktop actions. The mismatch is especially risky because users would not reasonably expect monitoring and process-control features from the declared description.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script presents hard-coded task progress, tool usage, code changes, and efficiency metrics as if they were real Hermes activity, which can mislead users into trusting fabricated operational data. In a work-visualization skill, this is especially problematic because the core stated purpose is accurate reporting of agent behavior, so false reporting undermines auditability and can conceal actual actions or failures.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: For a visualization/monitoring skill, the ability to terminate local processes is outside the minimally necessary scope and increases the blast radius of misuse or mistakes. Because termination is based on pattern matching rather than a tightly controlled lifecycle, it can disrupt unrelated services or other user workloads.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script advertises that it generates a current session summary, but all reported task, skill, tool, and code-change metrics are hardcoded demo values rather than derived from real session state. In a visualization/reporting skill, this can mislead users into trusting fabricated operational data, causing incorrect decisions, false audit trails, or concealment of actual activity.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The function documentation and surrounding UX imply real statistics generation, but the implementation uses fixed sample entries. This creates a semantic integrity problem: operators may rely on output as factual telemetry when it is only mock data, which is especially risky in an agent-observability skill whose core purpose is accurate reporting.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill summarizes work progress, code changes, tool usage, and session statistics, which may include sensitive operational details, source code context, filenames, or behavioral metadata. Without a clear warning and consent language, users may unknowingly enable collection or export of sensitive session data into reports or logs. In a monitoring-oriented skill, lack of disclosure meaningfully increases privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The monitor persistently writes activity and system-status information to a file under the user's home directory without an explicit consent or retention notice. Even if the current contents are limited, silent persistent logging can expose operational metadata and surprise users in privacy-sensitive environments.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal