GitHub配置同步

Security checks across malware telemetry and agentic risk

Overview

This sync skill is visible about using GitHub, but it can copy credentials and session data into a Git repository and repeatedly points users at the author’s repository URL.

Review carefully before installing or running. Use only a repository you own and verify `git remote -v` before any push. Do not sync `.env`, `auth.json`, sessions, or other secrets through GitHub; remove those copy commands or add them to `.gitignore`. Treat restored skills and config as code from the remote repository, and back up local Hermes files before pulling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill explicitly instructs users to copy `.env` and `auth.json` into a GitHub-synced repository, which can expose API keys and authentication tokens far beyond what is necessary for ordinary config sync. Even if the repo is intended to be private, private repos can still be misconfigured, shared, leaked, or later made public, turning credential backup into credential disclosure.

Context-Inappropriate Capability

Low

Confidence: 86% confidence
Finding: The documentation says users can copy any other files into the sync directory and commit them, which expands the skill from Hermes config sync into arbitrary data exfiltration or oversharing. That broadens the blast radius significantly because users may sync secrets, personal documents, or unrelated sensitive material without safeguards.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script's stated purpose is syncing Hermes configuration and data, but it also stages and pushes highly sensitive artifacts such as .env, auth.json, and session state into a Git repository. This can expose API keys, auth tokens, and active sessions to anyone with repository access, and the skill context makes this more dangerous because users are encouraged to run it routinely as a convenience workflow.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Synchronizing authentication secrets and active session data is not necessary for ordinary config sync and materially increases the blast radius of repository compromise. In this skill context, bundling secrets with routine sync makes accidental credential leakage and cross-device session theft much more likely.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The pull path overwrites local .env, auth.json, and session files from repository contents, effectively importing remote credentials and active session state into the local Hermes installation. This is dangerous because a compromised or stale repository can silently replace local trust material, enabling account takeover, persistence, or confusion about which identity is active.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to copy and push entire Hermes configuration, memories, and skills directories to a GitHub repository without any warning about secrets, tokens, personal data, or untrusted skill content that may be included there. This creates a realistic risk of sensitive data disclosure or propagation of malicious content across devices, especially if the repository is public or shared, and the download workflow later restores that content directly into the active Hermes environment.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill recommends syncing API keys and auth material with only a mild note that they are 'optional' and sensitive, but it does not provide strong warnings about credential theft, repository exposure, or token reuse risk. In a sync/backup context, users are especially likely to follow these steps verbatim, making the absence of explicit safeguards dangerous.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The download workflow copies files directly into `~/.hermes/` and can overwrite existing configuration, skills, memories, sessions, and auth data without backup or confirmation. In context, this can cause data loss, corruption, or restoration of malicious or stale content from the repository onto the local system.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The maintenance section advises `git reset --hard HEAD^` and `git push --force` without emphasizing that these are destructive history-rewriting operations. In a shared or backup repository, that can irreversibly delete synchronized data, complicate recovery, and destroy audit/history useful for incident response.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The script copies .env and auth.json into the sync directory and later runs git add . and git push without any warning that secrets may be published or shared. The lack of disclosure is particularly risky in a one-command sync tool because users may assume only benign configuration files are being uploaded.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The pull operation overwrites local Hermes files with repository versions without prompting, backup, or diff review. In context, this convenience sync behavior can destroy local state or import unsafe remote changes, including altered skills or configuration that changes agent behavior.

VirusTotal

No VirusTotal findings

View on VirusTotal