ClawHub

Hermes Communication Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local file-queue bridge for WorkBuddy and Hermes, with privacy and trust-boundary cautions but no evidence of malware, exfiltration, or command execution in the artifacts.

Install only if you trust both agents and any local processes that can access ~/.hermes/shared/communication. Avoid sending secrets through this plaintext queue, review any Hermes-side consumer before allowing command-like messages, and enable cron or auto-polling only when you want ongoing background processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documented schema includes a `command` message type even though the skill is presented as a shared-file communication bridge. Introducing command semantics into an inter-agent queue creates a control channel that can lead to command execution, privilege misuse, or unsafe agent-to-agent instruction passing if either side trusts queued messages.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The documented queue protocol explicitly includes a `command` message type, which creates a pathway for one agent to send system-action instructions to another through a shared file channel. In an autonomous agent context, that is more dangerous than ordinary messaging because downstream components may interpret queued content as executable intent, enabling indirect command execution, privilege misuse, or unsafe automation without clear trust boundaries or approval requirements.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The configuration explicitly supports a `command` message type with a `handle_command` handler, which expands a simple file-queue messaging skill into one capable of processing system-like commands. In a shared-file asynchronous communication channel, command semantics materially increase the risk of privilege misuse, command injection in downstream handlers, or unauthorized actions triggered by crafted queue messages, especially since the stated purpose only requires inter-agent communication rather than command execution.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad and generic, which increases the chance the skill activates in contexts where the user did not intend to interact with a cross-agent file queue. For a skill that can write shared communication files and exchange task, file, or command-like messages, ambiguous activation expands the attack surface and raises the risk of unintended data transfer or agent actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description explains how to use the queue but omits prominent warnings that the skill writes shared queue/history files and supports risky message categories such as `file` and `command`. In a multi-agent bridge, missing warnings can cause users or downstream agents to treat the channel as harmless text messaging when it actually enables durable data exchange and potentially dangerous control messages.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README documents that messages are stored in shared queue and history files under a user-accessible home directory, but it provides no warning about persistence, retention, or local exposure of potentially sensitive communications. In this skill's context, the queue is the core transport mechanism, so users may place secrets or operational data into files that can be read later, backed up, or exposed to other local processes without realizing it.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger phrases include broad natural-language terms such as '收hermes消息' and '双向通信', which can plausibly appear in ordinary conversation and cause unintended invocation of the skill. Because this skill reads and writes a shared communication queue, accidental activation could expose messages, modify queue state, or initiate cross-agent interactions the user did not intend.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill describes direct interaction with shared queue and history files but does not warn users that normal operations will read from and modify those files. In a multi-agent shared-file design, lack of disclosure increases the chance of unsafe use, race conditions, message tampering, or unexpected persistence of sensitive content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation notes a `command` message type but does not warn that such messages may drive system actions when consumed by another agent. In this context, omitting that warning is security-relevant because users may treat the queue as harmless messaging while it can function as an instruction channel capable of influencing privileged automation.

VirusTotal

No VirusTotal findings

View on VirusTotal