ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

hermes-attestation-guardian

v0.1.0

Hermes-only runtime security attestation and drift detection skill for operator-managed Hermes infrastructure.

0· 87·0 current·0 all-time
by@davida-ps

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for davida-ps/hermes-attestation-guardian.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "hermes-attestation-guardian" (davida-ps/hermes-attestation-guardian) from ClawHub.
Skill page: https://clawhub.ai/davida-ps/hermes-attestation-guardian
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install hermes-attestation-guardian

ClawHub CLI

Package manager switcher

npx clawhub@latest install hermes-attestation-guardian
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement Hermes-focused attestation, signature verification, advisory feed checks, baseline diffing, and optional cron scheduling — all coherent with the declared purpose. However the package metadata (registry requirements) omitted the 'node' runtime that SKILL.md and the included .mjs scripts require; that's an inconsistency in declared requirements.
Instruction Scope
Runtime instructions are narrowly scoped to Hermes assets: they read/write files under HERMES_HOME, verify signed artifacts, refresh/verify a remote advisory feed, and manage optional scheduled jobs. The instructions do not ask for unrelated credential stores or arbitrary system data. They do include an explicit pre-install release verification step (downloads from GitHub releases + OpenSSL checks) which is appropriate for the purpose.
Install Mechanism
There is no automatic install spec (no remote downloads executed automatically). The skill is instruction-only regarding install, and the code files are bundled in the skill. This minimizes surprise remote install behavior. The SKILL.md recommends manual verification of release artifacts before install (good).
!
Credentials
Registry metadata lists no required environment variables, but the code and SKILL.md rely on many environment variables (HERMES_HOME, HERMES_ADVISORY_ALLOW_UNSIGNED_FEED, HERMES_ADVISORY_FEED_STATE_PATH, gateway toggles like HERMES_GATEWAY_TELEGRAM_ENABLED, and others). That mismatch means the skill may behave differently or require operator configuration not documented in the registry entry. The skill also reads and can write files under the user's HERMES_HOME and advisory state; these are reasonable for the stated purpose but represent sensitive local state that the operator should review.
Persistence & Privilege
The skill does not request 'always: true' and allows model invocation (default). It exposes scripts to add managed cron blocks (apply mode) which will mutate the user's crontab/scheduler if used; this is expected for recurring checks but is a privilege that alters system state. The code takes precautions (print-only default, explicit --apply) and confines written paths to HERMES_HOME and rejects symlinks, which is good practice.
What to consider before installing
This package appears to implement the Hermes attestation and advisory-check functionality it claims, but take these precautions before installing or running it: - Ensure you have Node installed; SKILL.md and the scripts require node even though the registry metadata omitted it. - Verify the release artifacts exactly as the SKILL.md shows (checksums.json, checksums.sig, and the pinned signing public-key fingerprint). Do not skip the OpenSSL verification step. - Review and set HERMES_HOME explicitly (the tool confines writes to HERMES_HOME). Inspect existing files under that directory; the tool will read/write under $HERMES_HOME/security and can create state and cached feed files. - Audit the hard-coded feed URL and pinned feed public key (DEFAULT_REMOTE_FEED_URL and PINNED_FEED_PUBLIC_KEY_PEM) to ensure they match your operator trust policy and the release verification fingerprint. - Be cautious when using any --apply or --allow-unsigned flags: --apply will modify your crontab/scheduler (the scripts call schedule-bin operations) and --allow-unsigned is explicitly emergency-only and bypasses signature checks. - Because the registry metadata did not declare env vars the code uses, plan to run the scripts in a controlled sandbox (container or VM) first and run the provided tests (or inspect test scripts) to confirm behavior in your environment. If you want higher confidence, ask the maintainer for: corrected registry metadata listing 'node' and the env vars the skill reads, a signed release tarball whose checksums match the published manifest, and documentation of the default scheduleBin used for crontab operations.
lib/cron.mjs:116
Shell command execution detected (child_process).
test/attestation_cli.test.mjs:16
Shell command execution detected (child_process).
test/guarded_skill_verify.test.mjs:15
Shell command execution detected (child_process).
test/setup_advisory_check_cron.test.mjs:14
Shell command execution detected (child_process).
test/setup_attestation_cron.test.mjs:14
Shell command execution detected (child_process).
test/feed_verification.test.mjs:65
Environment variable access combined with network send.
!
lib/feed.mjs:31
File read combined with network send (possible exfiltration).
!
test/feed_verification.test.mjs:607
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ary3erfe4kxh7dne7h7vk98593p6
87downloads
0stars
2versions
Updated 6d ago
v0.1.0
MIT-0
@davida-ps
latest
Download

Hermes Attestation Guardian

IMPORTANT SCOPE:

  • This skill targets Hermes infrastructure only (CLI/Gateway/profile-managed deployments).
  • This skill is not an OpenClaw runtime hook package.

Goal

Generate deterministic Hermes posture attestations, verify them with fail-closed integrity checks, and compare baseline drift using stable severity mapping.

Mandatory release verification gate (before install)

Before treating any release install instructions as valid, verify all three inputs:

  1. checksums.json
  2. checksums.sig
  3. pinned signing public-key fingerprint
BASE="https://github.com/prompt-security/clawsec/releases/download/hermes-attestation-guardian-v0.1.0"
TMP="$(mktemp -d)"
trap 'rm -rf "$TMP"' EXIT

curl -fsSL "$BASE/checksums.json" -o "$TMP/checksums.json"
curl -fsSL "$BASE/checksums.sig" -o "$TMP/checksums.sig"
curl -fsSL "$BASE/signing-public.pem" -o "$TMP/signing-public.pem"

[ -s "$TMP/checksums.json" ] || { echo "ERROR: missing checksums.json" >&2; exit 1; }
[ -s "$TMP/checksums.sig" ] || { echo "ERROR: missing checksums.sig" >&2; exit 1; }

EXPECTED_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8"
ACTUAL_PUBKEY_SHA256="$(openssl pkey -pubin -in "$TMP/signing-public.pem" -outform DER | sha256sum | awk '{print $1}')"
[ "$ACTUAL_PUBKEY_SHA256" = "$EXPECTED_PUBKEY_SHA256" ] || {
  echo "ERROR: signing-public.pem fingerprint mismatch" >&2
  exit 1
}

openssl base64 -d -A -in "$TMP/checksums.sig" -out "$TMP/checksums.sig.bin"
openssl pkeyutl -verify -rawin -pubin -inkey "$TMP/signing-public.pem" \
  -sigfile "$TMP/checksums.sig.bin" -in "$TMP/checksums.json" >/dev/null

Hermes guard trust policy note

When installing from community sources, configure Hermes guard to use signature-aware trust (trusted signer fingerprint allowlist) rather than source-name-only trust. Unknown signer fingerprints should stay on community policy, and invalid signatures must remain blocked.

Commands

# Generate attestation (default output: ~/.hermes/security/attestations/current.json)
node scripts/generate_attestation.mjs

# Generate with explicit policy + deterministic timestamp
node scripts/generate_attestation.mjs \
  --policy ~/.hermes/security/attestation-policy.json \
  --generated-at 2026-04-15T18:00:00.000Z \
  --write-sha256

# Verify schema + canonical digest
node scripts/verify_attestation.mjs --input ~/.hermes/security/attestations/current.json

# Verify with baseline diff (baseline must be authenticated)
node scripts/verify_attestation.mjs \
  --input ~/.hermes/security/attestations/current.json \
  --baseline ~/.hermes/security/attestations/baseline.json \
  --baseline-expected-sha256 <trusted-baseline-sha256> \
  --fail-on-severity high

# Optional detached signature verification
node scripts/verify_attestation.mjs \
  --input ~/.hermes/security/attestations/current.json \
  --signature ~/.hermes/security/attestations/current.json.sig \
  --public-key ~/.hermes/security/keys/attestation-public.pem

# Refresh advisory feed verification state (fail-closed by default)
node scripts/refresh_advisory_feed.mjs

# Check advisory feed verification + feed summary
node scripts/check_advisories.mjs

# Guarded advisory-aware skill verification gate (returns 42 on advisory match without explicit confirm)
node scripts/guarded_skill_verify.mjs --skill some-skill --version 1.2.3

# Explicit operator acknowledgement path for advisory matches
node scripts/guarded_skill_verify.mjs --skill some-skill --version 1.2.3 --confirm-advisory

# Optional temporary unsigned bypass (dangerous; emergency-only)
HERMES_ADVISORY_ALLOW_UNSIGNED_FEED=1 node scripts/refresh_advisory_feed.mjs --allow-unsigned

# Preview scheduler config without mutating user schedule state
node scripts/setup_attestation_cron.mjs --every 6h --print-only

# Apply managed scheduler block
node scripts/setup_attestation_cron.mjs --every 6h --apply

# Preview advisory check scheduler config (guarded flow, print-only default)
node scripts/setup_advisory_check_cron.mjs --every 6h --skill some-skill --print-only

# Apply advisory check scheduler block (uses guarded_skill_verify flow)
node scripts/setup_advisory_check_cron.mjs --every 6h --skill some-skill --version 1.2.3 --apply

# Emergency-only: unsigned bypass for scheduled advisory checks (do not keep enabled)
node scripts/setup_advisory_check_cron.mjs --every 6h --skill some-skill --allow-unsigned --apply

WARNING: --allow-unsigned in scheduled commands is incident-response only. Remove it immediately after recovery and restore signed advisory verification.

Attestation payload (implemented)

The generator emits:

  • schema_version, platform, generated_at
  • generator metadata (skill + node version)
  • host metadata (hostname/platform/arch)
  • posture.runtime (gateway enabled flags + risky toggles)
  • posture.feed_verification status (verified|unverified|unknown) sourced from $HERMES_HOME/security/advisories/feed-verification-state.json
  • posture.integrity watched_files and trust_anchors (existence + sha256)
  • digests.canonical_sha256 over a stable canonical JSON representation

Fail-closed behavior

Verifier exits non-zero when:

  • schema validation fails
  • canonical digest algorithm is unsupported or digest binding mismatches
  • expected file sha256 mismatches (if configured)
  • detached signature verification fails (if configured)
  • baseline is provided without authenticated trust binding (--baseline-expected-sha256 and/or baseline signature + public key)
  • baseline authenticity or baseline schema/digest validation fails
  • baseline diff highest severity is at/above --fail-on-severity (default: critical)

Severity messages are emitted as INFO / WARNING / CRITICAL style lines.

Side effects

  • generate_attestation.mjs writes one JSON file (and optional .sha256) under $HERMES_HOME/security/attestations.
  • verify_attestation.mjs is read-only.
  • refresh_advisory_feed.mjs writes verified feed cache + verification state under $HERMES_HOME/security/advisories.
  • check_advisories.mjs is read-only.
  • guarded_skill_verify.mjs re-runs feed refresh/verification (same advisory cache + state side effects) and then performs advisory-aware gate checks.
  • setup_attestation_cron.mjs is read-only unless --apply is provided.
  • setup_attestation_cron.mjs --apply rewrites only the current user managed schedule block delimited by:
    • # >>> hermes-attestation-guardian >>>
    • # <<< hermes-attestation-guardian <<<
  • setup_advisory_check_cron.mjs is read-only unless --apply is provided.
  • setup_advisory_check_cron.mjs --apply rewrites only the current user advisory-check managed schedule block delimited by:
    • # >>> hermes-attestation-guardian-advisory-check >>>
    • # <<< hermes-attestation-guardian-advisory-check <<<
    • generated command path uses guarded_skill_verify.mjs (advisory-aware gate), not raw check_advisories.mjs

Advisory feed override knobs

  • Source selection: HERMES_ADVISORY_FEED_SOURCE=auto|remote|local
  • Remote artifacts: HERMES_ADVISORY_FEED_URL, HERMES_ADVISORY_FEED_SIG_URL, HERMES_ADVISORY_FEED_CHECKSUMS_URL, HERMES_ADVISORY_FEED_CHECKSUMS_SIG_URL
  • Local artifacts: HERMES_LOCAL_ADVISORY_FEED, HERMES_LOCAL_ADVISORY_FEED_SIG, HERMES_LOCAL_ADVISORY_FEED_CHECKSUMS, HERMES_LOCAL_ADVISORY_FEED_CHECKSUMS_SIG
  • Pinned key override: HERMES_ADVISORY_FEED_PUBLIC_KEY (default is built-in pinned key)
  • Optional checksum toggle: HERMES_ADVISORY_VERIFY_CHECKSUM_MANIFEST (default: enabled)
  • UNSAFE emergency bypass only: HERMES_ADVISORY_ALLOW_UNSIGNED_FEED=1

Notes

  • Hermes scan + test context is .mjs-based by design:
    • runtime scripts: scripts/*.mjs
    • shared libraries: lib/*.mjs
    • regression tests: test/*.test.mjs
  • Keep .mjs paths/extensions stable so scanner scope, SBOM wiring, and test harness references stay valid.
  • Default output root is ~/.hermes/security/attestations/.
  • No destructive remediation actions (delete/restore/quarantine) are implemented.
  • Advisory feed remote URL allowlisting is not implemented in v0.0.2; operators must explicitly trust configured feed/checksum endpoints.
  • Guarded advisory version matching currently uses a lightweight comparator parser (>=, <=, >, <, =, ^, ~, wildcard *) and does not implement full npm semver range grammar (for example, OR ranges and complex comparator sets).
  • Operator policy file is optional JSON with:
    • watch_files: list of file paths
    • trust_anchor_files: list of file paths

Comments

Loading comments...