hermes-webui-agent
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill directs the user to clone the Hermes WebUI source code from a third-party GitHub repository (https://github.com/nesquena/hermes-webui.git) and pull Docker images from the GitHub Container Registry.
- [COMMAND_EXECUTION]: Instructs the user to run various administrative shell commands, including python-based bootstrap scripts, shell-based daemon controllers (ctl.sh), and Docker orchestration commands to set up and manage the environment.
- [REMOTE_CODE_EXECUTION]: The installation process involves running a bootstrap script (python3 bootstrap.py) and a shell launcher (start.sh) immediately after downloading the repository, which executes external code on the host system.
- [PROMPT_INJECTION]: The skill documents a surface for indirect prompt injection by integrating the agent with multiple messaging platforms (Telegram, Discord, Slack, Signal) and a web interface.
- Ingestion points: Messaging platform webhooks/tokens and the WebUI API.
- Boundary markers: None explicitly defined in the provided snippets to isolate system instructions from external data.
- Capability inventory: The agent has capabilities for subprocess execution (subprocess.run), file system modification (STATE_DIR/sessions), and workspace access.
- Sanitization: Relies on standard Flask/Werkzeug security for authentication, but does not specify sanitization for the content of messages retrieved from external platforms.
Audit Metadata