The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The documentation instructs the user to install the agent using a command that downloads a script from a remote GitHub repository and pipes it directly to the bash interpreter (curl -fsSL ... | bash). This is a critical risk as the remote source is not under the skill author's direct control and the script could be modified to execute arbitrary malicious code.
[COMMAND_EXECUTION]: The agent described in the skill possesses powerful toolsets, including a terminal tool for shell commands and a code_execution tool for running Python code. These broad capabilities allow the agent to manage processes and modify the host system.
[EXTERNAL_DOWNLOADS]: The guide mentions installing third-party Python packages via pip (e.g., faster-whisper, neutts) which introduces potential supply chain vulnerabilities.
[PROMPT_INJECTION]: The skill architecture allows the agent to process data from untrusted external sources, such as messaging platforms and webhooks. Since the agent has system-level capabilities, this creates a surface for indirect prompt injection.
Ingestion points: Messaging gateways (Telegram, Discord, Slack, etc.), Webhook endpoints (/webhooks/<name>), and voice message transcriptions.
Boundary markers: No explicit delimiters or 'ignore instructions' directives are documented for processing external data.
Capability inventory: Full access to shell commands (terminal), the file system (file), Python execution (code_execution), and browser automation.
Sanitization: There is no mention of sanitizing or validating data received from external platforms before it is passed to the agent's reasoning loop.

hermes-agent