hermes-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill documentation shows Hermes can fetch and execute untrusted public content—e.g., the "web" and "browser" toolsets for web search/content extraction, "hermes skills browse/install" and "hermes skills tap add REPO" (pulling GitHub/public skills), and the Quick Start curl|bash install from raw.githubusercontent.com—so the agent is expected to ingest third‑party web/repo content that can influence its tool use and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start includes an explicit install command that downloads and executes remote code (curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash), which runs fetched code at setup time and is presented as the required installation path.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill documentation explicitly instructs running privileged/system-level commands and editing system files (e.g., "sudo loginctl enable-linger $USER", edit /etc/wsl.conf, installing background services), which modify the host state and require elevated privileges.