Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hermes Deploy
v1.0.2使用 OpenClaw 部署 Hermes Agent 完整指南(含开机自启)
⭐ 0· 158·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (deploy Hermes Agent and enable autostart) match the instructions: cloning/installing the agent, migrating OpenClaw config, configuring Feishu, and toggling approvals. Asking to move model/API credentials and messaging credentials is consistent with a migration tool. However, the skill explicitly instructs disabling approvals (YOLO mode) which goes beyond mere deployment and changes the agent's execution policy (allowing remote command execution without interactive approval).
Instruction Scope
The SKILL.md tells the operator to run curl | bash against raw.githubusercontent.com (install script) and to run automatic migration including secrets (--migrate-secrets). It instructs writing many API keys/credentials into ~/.hermes/.env and to set approvals.mode=false (YOLO mode) so messages can trigger commands without approval. Those actions involve sensitive data movement and enable remote execution; they are in-scope for a deployer but materially increase attacker blast radius and should be treated as high-risk.
Install Mechanism
There is no formal install spec, only commands in SKILL.md. The guide recommends piping an install script from raw.githubusercontent.com into bash and alternatively downloading a GitHub zip — both are common but carry risks. Piping remote scripts to shell is a known risky pattern and should be reviewed before execution. No obscure or shortener URLs are used (GitHub raw / github.com), which reduces but does not eliminate risk.
Credentials
The skill does not declare required env vars in metadata, but the instructions explicitly create/require many secrets (OPENAI_API_KEY, OPENAI_BASE_URL, FEISHU_APP_ID/SECRET, and mentions OpenRouter/Anthropic/ElevenLabs keys). Asking to migrate and store multiple API keys is explainable for migration, but it's sensitive and the automated migration command (--migrate-secrets -y) could read and copy secrets from local OpenClaw configs without interactive confirmation. Additionally, the included _publish_log.md contains a hard-coded ClawHub login token, which is an unexpected embedded credential.
Persistence & Privilege
The skill does not request always:true and does not modify other skills; it instructs creating files under ~/.hermes and starting background processes (nohup, pkill, gateway run), which is normal for installing a long-running agent. The main privilege concern is functional: disabling approvals (YOLO) increases the agent's ability to execute arbitrary actions from remote messages — a dangerous configuration change but within the declared purpose of enabling YOLO mode.
Scan Findings in Context
[hardcoded-token-in-publish_log] unexpected: The _publish_log.md includes a ClawHub login token (clh_gVs0mARZTsQk5JZ0tjGBGfQeA7AG60HoHEouUgBIEUU). Embedding a login token in a publish log bundled with the skill is not necessary for a deployment guide and exposes a credential that could be abused if valid. This is unexpected and should be treated as sensitive; if the token is live it should be considered compromised and rotated.
What to consider before installing
This skill appears to be a legitimate deployment guide, but it contains several high-risk recommendations. Before using it: (1) Do not blindly run curl | bash — fetch and review the install script from the repository first. (2) Inspect the Hermes repository and install artifacts (the scripts and Python packages) for malicious behavior before installing. (3) Avoid using the automatic secret-migration option (--migrate-secrets -y) unless you trust both environments; prefer manual transfer of API keys and rotate keys after migration. (4) Do not enable YOLO/disable approvals in production or on machines with sensitive data — this allows remote messages to execute commands without confirmation. (5) Treat the ClawHub token found in _publish_log.md as sensitive: remove it, and if you have any relationship to that token rotate or revoke it. (6) If possible run the install in an isolated/test environment or container first, and review logs and network connections for unexpected exfiltration. If you want, I can list the exact commands in this SKILL.md you should review or suggest safer alternatives (manual install steps, systemd unit, and a checklist for secret handling).Like a lobster shell, security has layers — review code before you run it.
latestvk97772gfztyj21925p5qjw6np584bcsj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.