hermes-desktop-os1-native-macos-client

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These links are mostly API endpoints and GitHub repos (not direct executables), but the workflow repeatedly instructs downloading/running a prebuilt macOS app from GitHub releases, installing npm tools (npx), and optionally enabling "shell/admin" toolsets that grant broad system access — all from relatively small/unverified projects/domains (orgo.ai, ara.so, nickvasilescu/dodo-reach repos), so they present a moderate-to-high risk if the sources or binaries are not trusted or vetted.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and displays user-generated VM/agent "sessions" and other VM content from the Orgo platform via its API (e.g., GET /api/computers/{id}/sessions and the fetchSessions example in SKILL.md) and also exposes Orgo MCP toolsets to the voice model (including opt-in shell/admin tools), so third‑party session/content can be read and materially influence agent/tool actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.85). The skill makes runtime HTTP calls to Orgo platform endpoints (e.g., POST https://www.orgo.ai/api/computers/{id}/bash and /exec and direct wss://<fly_instance_id>.orgo.dev/terminal?...) which execute arbitrary commands on remote VMs and are required for the app’s core functionality, so these URLs allow remote code execution at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill exposes and encourages enabling "shell" and "admin" toolsets and documents APIs (POST /bash, POST /exec, PUT /files), installer behavior (apt installs, stale-apt cleanup) and local MCP tooling that allow arbitrary command execution and file writes with system-level impact, which can modify or compromise machine state.