ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hermes Install

v1.0.2

Complete Hermes Agent installation and migration guide. Use when user wants to install Hermes Agent, migrate from OpenClaw to Hermes, configure Feishu/Lark c...

0· 345·1 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Hermes install & OpenClaw migration) match the instructions: cloning, installing, configuring models and Feishu, and copying OpenClaw files. There are no requested environment variables or unrelated credentials declared that would contradict the stated purpose.
Instruction Scope
Instructions legitimately cover installing, configuring, and migrating including reading ~/.openclaw/openclaw.json and copying credentials into ~/.hermes/.env. These file reads and config edits are within migration scope but involve handling sensitive API keys and secrets — the guide explicitly instructs extracting and copying them.
Install Mechanism
This is instruction-only (no install spec). However the guide recommends executing remote install scripts via curl|bash (raw.githubusercontent.com and astral.sh). Fetching and piping remote scripts to sh is common for installers but carries elevated risk; users should inspect the scripts before running.
Credentials
The guide shows many environment variables and API keys (OpenRouter, OpenAI, DASHSCOPE, FEISHU_*) but does not demand unrelated or excessive credentials. Asking the user to migrate keys from OpenClaw is expected for a migration tool. Still, these are sensitive secrets and the guide instructs moving them into local files.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. The instructions modify user-local configs (PATH, ~/.hermes/*, ~/.bashrc) which is appropriate for an installer. YOLO mode (which can let the agent auto-execute commands) is documented — this increases runtime risk if enabled but is a user-controlled Hermes feature rather than an incoherent requirement of the skill itself.
Assessment
This guide appears consistent with installing and migrating a local Hermes Agent, but it asks you to run remote install scripts and to copy API keys/secrets from OpenClaw into Hermes configuration. Before proceeding: (1) inspect any remote scripts (the raw.githubusercontent.com and astral.sh URLs) instead of piping them blindly to sh; (2) back up ~/.openclaw and relevant files; (3) confirm any example credentials are placeholders and do not paste real secrets that you haven't verified; (4) be cautious enabling YOLO mode — it skips confirmations and can let the agent execute filesystem or system commands; and (5) prefer running steps manually or in a sandbox until you trust the installer and configuration changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bcppmrcew3g9rnx7r87p2d984fjec

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments