hermes-workspace-ai-agent-ui

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most links are local/internal endpoints or GitHub repos (lower intrinsic risk), but the presence of a raw.githubusercontent.com install.sh used with curl | bash, Docker image pulls, and third‑party repos means this collection can be used to distribute code/executables and should be treated as moderately risky unless the sources and scripts/images are verified.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly states a "Skills Catalog: Browse 2,000+ skills" and "MCP Integration: ... marketplace, and source management" (under "What It Does"), which indicates the workspace browses/ingests user-contributed marketplace/third‑party skills that the agent can load and execute, so untrusted third‑party content can influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The SKILL includes a one-line installer that runs remote code—curl -fsSL https://raw.githubusercontent.com/outsourc-e/hermes-workspace/main/install.sh | bash—and also instructs cloning https://github.com/outsourc-e/hermes-workspace.git, both of which fetch and execute repository code required to run the workspace.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt includes privileged system operations (sudo ufw allow), instructions that modify system state (firewall rules, pkill, rm -rf, curl | bash installer, Docker host networking and service config), and guidance to disable auth—so it encourages actions that can change or weaken the machine's state and security.