ClawHub
Back to skill

Security audit

Hermes Memory Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a real Hermes and WorkBuddy memory bridge, but it gives a persistent background process broad command, memory, and task authority without enough safeguards.

Install only if you intentionally want Hermes and WorkBuddy to share persistent memories and let one side send commands for the other to process. Before enabling the launchd watcher, restrict shared-directory permissions, back up Hermes and WorkBuddy memory files, remove or disable the weather extension if unneeded, and require manual approval or an allowlist for task changes, memory writes, and any command received from shared signal files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (24)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # 使用wttr.in查询天气
        cmd = ["curl", "-s", f"wttr.in/{location}?format={format_type}"]
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
        
        if result.returncode == 0:
            return {
Confidence
95% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises and documents shell execution, environment-variable use, and direct reads/writes to user files, but does not declare permissions. That creates a trust boundary failure: users or host platforms cannot accurately assess or constrain what the skill can do before activation, which is especially risky here because the documented behavior includes modifying memory files and invoking local scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose centers on memory bridging, but the behavior extends into agent-to-agent messaging, persistence installation, executable script creation, third-party task operations, and even external network access. That mismatch is dangerous because it hides materially more powerful capabilities than a user would reasonably expect, increasing the chance of silent code execution, persistence, unwanted file changes, or exfiltration through auxiliary features.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The watcher does more than passively observe or synchronize memory: it imports a task processor, derives a command from incoming Hermes-controlled JSON, executes it, and then writes feedback and ACKs automatically. In a shared-directory trust boundary, any actor able to place or modify signal files can trigger unintended actions without an explicit user approval gate, which materially expands the skill into remote task execution/orchestration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module does more than passive memory synchronization: it creates a new executable script in another product's skill directory and persists Hermes-derived memory files there. That expands the trust boundary from data sharing into code deployment and data propagation, which can enable unauthorized behavior changes, unexpected execution, and wider exposure of potentially sensitive memory content.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code programmatically writes a Python script and marks it executable inside WorkBuddy's skills area, giving this bridge an implicit installation capability beyond its advertised purpose. In a plugin ecosystem, creating runnable artifacts can become a persistence or lateral-function mechanism, especially if WorkBuddy auto-discovers or executes skill files from that directory.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The installer creates a persistent macOS LaunchAgent that continuously runs a watcher process with KeepAlive enabled. For a skill presented as a memory-bridge, adding background persistence materially expands execution scope and attack surface, especially because the launched Python script is taken from the skill directory and will run repeatedly once loaded.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The module advertises and implements external task-management actions such as creating and completing TickTick tasks, which exceeds the stated memory-bridge purpose. This capability expansion increases the attack surface and enables side effects in third-party systems from a component that users may reasonably expect to only read/write memory data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code executes Python subprocesses to interact with TickTick, enabling external task operations from incoming commands. In a memory-bridge skill, this is especially dangerous because a caller expecting passive synchronization can trigger active actions in another service, and later handlers interpolate untrusted parameters into Python code strings.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file explicitly extends a Hermes↔WorkBuddy memory-bridge processor with weather querying, which is unrelated to the declared skill purpose. Scope expansion is dangerous because it grants new network-capable behavior where users and reviewers would only expect memory synchronization features, reducing transparency and increasing abuse potential.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code adds a network-backed weather lookup via curl to wttr.in without clear justification from the skill's stated role. An attacker or misconfigured workflow could leverage this path for unintended outbound requests and data disclosure, especially in environments that assume the skill only handles local memory/task bridge operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains broad, natural phrases that could be encountered during ordinary conversation, causing the skill to activate outside clear user intent. In a skill that can read/write memory, execute commands, and process cross-agent tasks, ambiguous activation materially raises the risk of unintended actions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example utterances are generic enough to overlap with normal discussion, reinforcing accidental invocation risk. Because this skill supports memory synchronization and command/task handling, accidental activation could lead to unauthorized reads, writes, or task execution based on conversational text alone.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation states that WorkBuddy will process commands sent from Hermes, but it does not prominently warn users that another agent can cause local command/task execution. In this context, the shared-directory bridge acts as a command channel, so missing warnings and trust controls could let spoofed or unintended Hermes messages trigger privileged local actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The storage layout documents writes to shared memory and personal note files, including Hermes personal notes, without a clear modification warning or consent model. This is dangerous because users may assume the skill is read-only or synchronization-only, while it can actually alter persistent personal data across systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `learning_sync` command initiates synchronization of Hermes learning materials into WorkBuddy immediately after a generic status message, without previewing what categories of data will be copied, the destination, or requiring explicit confirmation. In a memory-bridge skill that moves session and learning data across systems, this increases the risk of unintended disclosure or propagation of sensitive notes, prompts, or internal context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Incoming Hermes signals are automatically processed and cause result write-back and ACK emission without a user-facing warning or consent check at the moment of execution. That makes silent command handling possible, so a forged or unexpected signal can be acted on immediately and appear legitimate through the generated feedback/acknowledgment trail.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The bridge copies Hermes memory artifacts into another skill directory without any confirmation, warning, minimization, or policy enforcement. This can leak sensitive summaries or feedback into a broader execution context where other skills, logs, backups, or users may access the data, increasing confidentiality and integrity risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Task creation performs an immediate external side effect without any confirmation, and it embeds the untrusted title directly into a Python -c string executed in a subprocess. An attacker controlling title can break out of the string literal and execute arbitrary Python code under the current user, in addition to creating unauthorized tasks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Task completion marks external tasks done without confirmation and injects the untrusted task_id into a Python -c snippet. A crafted task_id can execute arbitrary Python code in the subprocess context or silently alter external task state, making this both a code-execution and integrity risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The handler sends user-supplied location data to wttr.in with no consent prompt, privacy notice, or indication that an external service will receive the query. In a memory-bridge skill, users would not reasonably expect their inputs to be transmitted to a third party, making the privacy mismatch more severe.

Ssd 3

Medium
Confidence
87% confidence
Finding
This module writes arbitrary caller-controlled content into shared logs and memory files that are explicitly intended for later agent consumption across the Hermes/WorkBuddy bridge. Because `_sanitize` is only applied to `append_hermes_memory` and is narrowly pattern-based, `write_shared_log` and `write_bridge_event` can persist prompt-like text, secrets, or hostile instructions that another agent may later read and act on, creating a cross-agent data leakage and prompt-injection channel.

Session Persistence

Medium
Category
Rogue Agent
Content
bash ~/.workbuddy/skills/hermes-memory-bridge/install_v2.sh

# 启动守护进程
launchctl load ~/Library/LaunchAgents/com.workbuddy.hermes-watcher.plist

# 查看日志
tail -f /tmp/hermes-watcher.log
Confidence
90% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
bash ~/.workbuddy/skills/hermes-memory-bridge/install_v2.sh

# 启动守护进程
launchctl load ~/Library/LaunchAgents/com.workbuddy.hermes-watcher.plist

# 查看日志
tail -f /tmp/hermes-watcher.log
Confidence
90% confidence
Finding
plist

VirusTotal

No VirusTotal findings

View on VirusTotal