hermes-a2a-setup
Fail
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The instructions require the user to clone a repository from an unverified GitHub account (iamagenius00) and execute a shell script (
install.sh). This presents a high risk of arbitrary code execution from an untrusted source. - [EXTERNAL_DOWNLOADS]: The skill depends on fetching code and scripts from a non-whitelisted third-party repository on GitHub.
- [COMMAND_EXECUTION]: The skill directs the user to run shell commands to enable plugins (
hermes plugins enable a2a) and modify environment variables, which alters the host's execution environment. - [PROMPT_INJECTION]: The architecture establishes a surface for indirect prompt injection by receiving JSON-RPC messages from external agents and injecting them into the current session context.
- Ingestion points: Incoming network requests from remote agent endpoints directed to the local server on port 8081.
- Boundary markers: None specified in the instructions to prevent the model from obeying instructions embedded in the injected messages.
- Capability inventory: The skill registers tools like
a2a_callanda2a_discoverthat allow the agent to interact with other network endpoints. - Sanitization: The skill claims to include injection filtering in
security.py, but these mechanisms are unverified and may be bypassed.
Recommendations
- AI detected serious security threats
Audit Metadata