hermes-agent
Fail
Audited by Snyk on Jun 23, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). Most entries point to legitimate documentation and well-known services (NousResearch docs, GitHub, PyPI, Apple, localhost), but there are risky items — a raw install script (raw.githubusercontent.com .../install.sh) which invites curl|bash execution, a third‑party GitHub repo (GanyuanRan/Aegis) that should be security-reviewed before installing, and an unfamiliar domain (dc.hhhl.cc) used for provider endpoints — any of which could be used to distribute malware if run without inspection.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). Hermes can ingest outsider-authored free text via messaging-platform gateway inputs (e.g., Telegram/Discord/Slack/etc.) and voice transcription, which are then appended into the agent’s LLM message context during the runtime conversation loop.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs runtime fetching and syncing of external GitHub repos and raw install scripts (e.g. git clone https://github.com//.git, https://github.com/GanyuanRan/Aegis, and curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash) which copies remote SKILL.md files into ~/.hermes/skills (injected into agent context) and can execute remote install code, so these URLs are runtime dependencies that can control prompts or run code.
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata