ClawHub
Back to skill
v1.0.0

Hermit Search Publish

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:59 AM.

Analysis

This skill is a coherent local search helper, but users should review the Git-based install source and be careful about which folders they index.

GuidanceBefore installing, check that you trust the Hermit GitHub repository. When using the skill, add only the folders you actually want searchable, configure ignore rules for sensitive files, and stop the local Hermit service when you no longer need it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
uv tool install git+https://github.com/xxxgqcoder/hermit.git

The documented installation pulls the Hermit tool from a GitHub repository rather than from bundled, reviewed code or a pinned version.

User impactInstalling from a moving Git repository means the code you install may differ from what the skill instructions describe.
RecommendationReview the repository and, where possible, install from a trusted release or pinned commit.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
hermit start

The skill starts a local service with a PID and port and also documents stop/status/log commands, indicating disclosed background operation.

User impactHermit may keep running locally after being started until the user stops it.
RecommendationUse `hermit status` and `hermit stop` when finished, and review logs if you want to confirm what the service is doing.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
`directory`:文件夹路径,Hermit 会递归扫描并索引其中的文本文件

The skill explicitly indexes text files recursively from a user-selected folder into a searchable knowledge base.

User impactPrivate or sensitive files inside an indexed folder could become searchable through the local knowledge base.
RecommendationIndex only intended folders, use the documented ignore rules for sensitive paths or file types, and remove collections that should no longer be searchable.