multi-tool-architecture-assessment

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The System State Audit agent explicitly instructs checking "config dirs" and "check for tokens/credentials" and to "Report exact state," which requires reading and potentially outputting secret values verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The “External Research” step explicitly instructs Agent 1 to use the web tool to research open-market tools (e.g., GitHub repos and npm/PyPI pages), which will fetch and ingest outsider-authored free text from public web content into the agent’s LLM context at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt directs local system inspection (including tokens/credentials) and explicitly instructs write-back to ~/.hermes/skills/ and .Codex/skills/, which accesses sensitive data and modifies the host filesystem (though it does not request sudo or system-level config changes).