Security audit
Hermes Tweet
Security checks across malware telemetry and agentic risk
Overview
This skill is a disclosed Hermes/Xquik integration for X/Twitter automation, with sensitive actions gated behind explicit user approval and environment configuration.
Install this only if you intend to let Hermes/Xquik work with an X account. Keep action tools disabled until needed, do not paste API keys into chat, and review any post, DM, follow, delete, monitor, webhook, extraction job, draw, or media operation before approving it. The separate Hermes Tweet plugin should be reviewed separately for its actual runtime permissions.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
64/64 vendors flagged this skill as clean.