hermes-desktop-companion

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and interprets arbitrary public content—e.g., the "/browse " slash command and the "web" / "browser" tools (Tools Management) plus installing skills from arbitrary GitHub repositories (Skills Management → "install from GitHub")—so it consumes untrusted third-party webpages and repos that can influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Skills install flow allows fetching GitHub repositories at runtime (e.g., repository URLs like https://github.com/username/repo-name or raw files from https://raw.githubusercontent.com/...), and those SKILL.md markdown files (YAML frontmatter + content) are injected as skill instructions that directly control the agent's prompts/behavior, so remote repo content becomes a required runtime dependency that can execute or direct the agent.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill includes explicit instructions to run sudo package installs and, critically, to create a temporary passwordless sudoers entry (/etc/sudoers.d/hermes-install), which directs the agent to bypass/obtain elevated privileges and modify system files—posing a direct system-compromise risk.