ClawHub
Back to skill

Security audit

Hersona

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for persona management, but its persistent mode can alter long-lived agent prompt/config state and the documentation is inconsistent about what gets changed and reset.

Install only if you are comfortable with a persona skill that can change persistent Hermes prompt/profile state. Before using persistent or reset mode, manually inspect and back up ~/.hermes/config.yaml and ~/.hermes/profiles/<profile>/SOUL.md, avoid putting sensitive information in --memory, and verify cleanup yourself because the documentation is inconsistent about which files are automatically modified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The persistent-mode documentation gives conflicting statements about whether `~/.hermes/config.yaml` is modified automatically. This can cause operators or downstream agents to take incorrect actions around persistence, backup, and rollback, leading to accidental misconfiguration or unsafe assumptions about what files are changed.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
Reset mode says it deletes persistent registrations from `config.yaml`, but persistent mode elsewhere says the skill does not automatically write to `config.yaml`. This contradiction is dangerous because users may believe reset fully removes persisted state when it may not, or may expect edits to files that were never written, causing incomplete cleanup and confusing security state.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest description claims persistent registrations are written to `~/.hermes/config.yaml` and `SOUL.md`, while the body later says `config.yaml` is not automatically modified. Because manifest metadata is often consumed programmatically or shown before the full body, this mismatch can mislead tooling and users into authorizing broader file modification than actually intended, or failing to protect the right files.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This reference includes operational steps to modify persistent user state in `~/.hermes/config.yaml` and `SOUL.md`, but it does not place a clear warning adjacent to those instructions about persistence, overwrite risk, or possible prompt-behavior changes across future sessions. In this skill's context, that is security-relevant because the skill is explicitly designed to inject persona content into system-level prompts and make it persistent, so users may unintentionally alter long-lived agent behavior or preserve sensitive context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal