hermes-war-room-ui
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The installation instructions direct the user to download a compressed archive from an external GitHub repository (github.com/Naroh091/hermes-war-room) that is not part of a recognized trusted organization.
- [REMOTE_CODE_EXECUTION]: The skill executes code from the downloaded external archive directly using Node.js (node .output/server/index.mjs).
- [COMMAND_EXECUTION]: The server-side logic (e.g., in server/api/operatives/create) utilizes shell execution (execAsync) with parameters such as 'slug' and 'cloneFrom' that are derived directly from user-provided API request bodies, creating a high-risk command injection surface.
- [DATA_EXFILTRATION]: The skill requires access to and reads from sensitive local directories, specifically ~/.hermes, which contains the agent's database (kanban.db) and configuration profiles (SOUL.md).
- [PROMPT_INJECTION]: The skill processes untrusted external data, creating an indirect prompt injection surface.
- Ingestion points: Untrusted data enters the agent context through the mission message API (/api/missions/:id/message) and task summaries retrieved from the database (SKILL.md).
- Boundary markers: No delimiters or instructions to ignore embedded commands are present in the described logic.
- Capability inventory: The system has capabilities for subprocess execution (execAsync) and file system access across all scripts (SKILL.md).
- Sanitization: No validation or escaping of the external input is demonstrated in the provided code snippets.
Recommendations
- AI detected serious security threats
Audit Metadata