skill-audit
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/audit.pyperforms file system management operations within the agent's environment. It usesshutil.rmtreeandPath.unlinkto delete skill directories in~/.hermes/skills/and~/.agents/skills/. It also modifies the~/.hermes/config.yamlfile to disable builtin skills. These actions are protected by a default dry-run mode and require explicit user confirmation via the--executeflag. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8) through its reporting mechanism.
- Ingestion points: Untrusted data enters the context via the
messagestable in the SQLite database~/.hermes/state.db(analyzed inscripts/audit.py). - Boundary markers: Absent. Skill names and tool arguments retrieved from the database are interpolated directly into Markdown f-strings for the report.
- Capability inventory: The skill has the ability to delete directories, unlink files, and modify the agent's main configuration file (
scripts/audit.py). - Sanitization: No escaping or sanitization is performed on the data retrieved from the database history. Maliciously crafted skill names (e.g., containing Markdown syntax or control characters) could potentially disrupt the report's presentation or influence the user's perception of the audit results.
Audit Metadata