ocas-styx
Styx enriches raw bank transaction data, providing a clean interface for querying and linking transactions to real business entities.
Install this skill
Security score
The ocas-styx skill was audited on Jun 15, 2026 and we found 18 security issues across 2 threat categories, including 10 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Access to root home directory
| 74 | Styx maintains its own SQLite database at `/root/.hermes/data/styx.db`. |
Access to root home directory
| 78 | - `/root/.hermes/data/transactions.db` — raw Plaid transaction data (889 transactions, last: 2026-05-20) |
Access to root home directory
| 79 | - `/root/.hermes/data/styx.db` — enriched merchant data (895 transaction_merchants, 366 merchants, all enriched as of 2026-06-13) |
Access to root home directory
| 83 | A second copy exists at `/root/.hermes/commons/data/ocas-styx/styx.db` but it is a stale 0-byte stub — ignore it. |
Access to root home directory
| 112 | # Last known path (may not exist): /root/.hermes/commons/data/ocas-styx/styx_universal_enrich.py |
Access to root home directory
| 115 | python3 /root/.hermes/profiles/indigo/skills/ocas-styx/scripts/styx_places_enrich.py --all |
Access to root home directory
| 192 | - **`google_auth_mcp` import path is profile-dependent** — When running under the `indigo` Hermes profile, `Path.home()` returns `/root/.hermes/profiles/indigo/home` instead of `/root`. Scripts that d |
Access to root home directory
| 193 | - **Indigo's OAuth token file may lack `client_secret`** — The token file at `/root/.google_workspace_mcp/credentials/[email protected]` may only have `access_token`, `refresh_token`, `c |
Access to root home directory
| 194 | - **Database and secrets path mismatch (migration artifact)** — After a profile/data migration, the active databases live at `/root/.hermes.old/data/` (`styx.db`, `transactions.db`) and secrets at `/r |
Access to root home directory
| 196 | mkdir -p /root/.hermes/data |
Access to root home directory
| 197 | ln -sf /root/.hermes.old/data/styx.db /root/.hermes/data/styx.db |
Access to root home directory
| 198 | ln -sf /root/.hermes.old/data/transactions.db /root/.hermes/data/transactions.db |
Access to root home directory
| 199 | ln -sf /root/.hermes.old/secrets /root/.hermes/secrets |
Access to root home directory
| 201 | The universal enrichment script at `/root/.hermes.old/commons/data/ocas-styx/styx_universal_enrich.py` (not in the skill's `scripts/` or `commons/data/`) must be run from that location. |
Access to root home directory
| 206 | - **styx_universal_enrich.py does not exist on disk (as of 2026-06-13)** — The universal enrichment script referenced in this skill has not been created. Only `styx_places_enrich.py` (food-only) exist |
Access to root home directory
| 207 | - **Correct script path for food-only enrichment** — The food-only script lives at `/root/.hermes/profiles/indigo/skills/ocas-styx/scripts/styx_places_enrich.py`, NOT at `/root/.hermes/skills/ocas-sty |
Access to .env file
| 194 | - **Database and secrets path mismatch (migration artifact)** — After a profile/data migration, the active databases live at `/root/.hermes.old/data/` (`styx.db`, `transactions.db`) and secrets at `/r |
External URL reference
| 193 | - **Indigo's OAuth token file may lack `client_secret`** — The token file at `/root/.google_workspace_mcp/credentials/[email protected]` may only have `access_token`, `refresh_token`, `c |