hermes-model-router

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed model-routing helper that installs local scripts and config, with no hidden data sending in the shipped code.

Install only if you want a task router that may direct complex work to cloud model providers. Treat provider-routed prompts as potentially leaving your machine, and avoid placing API keys or sensitive secrets in the plain config file unless you accept that storage model.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly routes 'complex' tasks to external cloud providers such as MiniMax and OpenRouter, but the documentation does not warn users that their prompts, code, or other task data may be transmitted off-device. This creates a real privacy and data-governance risk, especially because users may assume the tool is 'local-first' and may submit sensitive content without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal