ClawHub
Back to skill

Security audit

Hermes Agent

Security checks across malware telemetry and agentic risk

Overview

Hermes Agent is a disclosed local memory and workflow-seeding skill, with persistence that users should knowingly opt into but no evidence of exfiltration, destructive behavior, or hidden execution.

Install this only if you want OpenClaw to keep durable local operational memory under ~/hermes-agent/ and let it influence future sessions. Review those files periodically, avoid saving secrets or sensitive personal information, and only approve AGENTS.md, SOUL.md, or HEARTBEAT.md seed edits you actually want.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The loop activates on broad triggers such as any 'non-trivial task' or 'long-running project context', which can cause the agent to enter a stateful behavior pattern far more often than a user would reasonably expect. In this skill, that matters because activation leads to reading and later writing persistent memory artifacts, so ambiguous invocation increases the chance of unintended state changes and hidden workflow steering.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to record lessons in reflections.md, compress them into memory.md, and add patterns to promotions.md without any requirement to notify or obtain approval from the user. Persistent writes can silently alter future agent behavior, create project-state drift, and institutionalize mistakes or sensitive information across sessions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The phrase 'on first activation' leaves a security-relevant trigger undefined, so an agent could interpret normal use as consent to perform initialization side effects. In this skill, that ambiguity matters because the initialization includes creating persistent files in the user's home directory, which can occur without a clearly bounded user approval step.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template instructs creation of directories and files under '~/hermes-agent' but does not include a user-facing warning, consent step, or safety boundary around modifying the filesystem. In an agent skill context, persistent writes to the home directory are more dangerous because they establish long-lived state and may normalize silent workspace or environment changes beyond the immediate task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to create local files and later patch workspace files, but the initial operational steps present these actions as setup flow rather than pairing them with an immediate, explicit consent checkpoint. Although later guardrails say to ask before writing to workspace or main memory files, the early file-creation instructions for `~/hermes-agent/` can still normalize unattended writes and increase the risk of unauthorized filesystem modification in a user environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal