ClawHub

Hermes AGI指令迭代与执行监督

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local task-planning helper, but it should be reviewed because it stores raw task prompts and includes an under-scoped scorer that can rewrite JSON files by path.

Install only if you are comfortable with local scripts saving your task wording under ~/.hermes. Avoid entering secrets, credentials, sensitive business plans, or personal data unless local retention is acceptable. Be careful with scripts/hermes_supervisor.py score because it can modify the JSON file path it is given; prefer using task files created by this skill and delete ~/.hermes when you no longer want the history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the AI to invoke shell scripts that write persistent task data under ~/.hermes/tasks/, but the skill does not declare permissions or clearly surface that file-write capability at the metadata level. This creates a transparency and consent problem: a user may believe they are only getting planning help while the skill causes local state changes in the home directory.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially exceeds and contradicts the declared purpose: the skill persists data in the user's home directory, uses fixed-template decomposition, and does not actually implement the claimed rewrite/verification loop. This mismatch is dangerous because users and host systems may grant trust, approval, or access based on the declared purpose while hidden or overstated behavior changes data locally and misrepresents what supervision is actually occurring.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill says it 'does not perform execution' while elsewhere directing automatic AI invocation of shell scripts that create task files. This contradiction can mislead users into underestimating the operational risk, especially in agent environments where 'auto-call' behavior may execute without an additional human review step.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The `score` command accepts an arbitrary `task_file` path from `sys.argv[2]`, then reads JSON from it and writes the modified object back to the same path without restricting it to `~/.hermes/tasks` or validating that it is a Hermes task file. This creates an unintended arbitrary local file overwrite primitive for any JSON file the user can access, which exceeds the tool's stated task-supervision purpose and can corrupt unrelated application data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly says the AI will automatically call a script that creates persistent files in the user's home directory, but it does not provide a prominent warning or informed-consent step for that file-writing behavior. Silent or poorly disclosed persistence increases the risk of unwanted local data retention, privacy issues, and misuse in shared or sensitive environments.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description is extremely broad and frames the skill as a general-purpose AGI instruction decomposition, supervision, rewriting, and enforcement loop without clear boundaries, approved domains, or safety constraints. In an agent environment, this can cause over-activation, unsafe delegation, or policy-bypassing task reformulation because the skill presents itself as applicable to vague user requests with no documented limits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists the user's raw instruction verbatim into a file under $HOME/.hermes/tasks without any disclosure, consent prompt, retention notice, or minimization. Because this skill is explicitly designed to process vague AGI instructions, the input may contain sensitive data, credentials, internal plans, or personal information, creating a confidentiality and privacy risk if local files are later accessed by other users, tools, backups, or telemetry.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal