hermes-agent

No direct malicious code is shown in this documentation fragment. However, it instructs users to execute a network-fetched installer script immediately via a curl|bash pipeline, which is a high-impact supply-chain execution pattern. Because secrets are configured in ~/.hermes/.env and multiple dependencies/integration extras are installed, the blast radius of a compromised installer or dependency could be substantial. Integrity verification (pinned revision, checksum/signature validation) and inspection of scripts/install.sh and installed package sources are recommended before trusting this install method.