hermes-agent
Helps configure and extend Hermes Agent for effective AI-driven task execution across multiple platforms.
Install this skill
Security score
The hermes-agent skill was audited on Jun 5, 2026 and we found 58 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Piping content to bash shell
| 38 | curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash |
System command execution
| 989 | **Monkeypatching `sys.platform` is not enough** when the code under test also calls `platform.system()` / `platform.release()` / `platform.mac_ver()`. Those functions re-read the real OS independently |
Curl to non-GitHub URL
| 38 | curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash |
Webhook reference - potential data exfiltration
| 26 | - **Extensible** — plugins, MCP servers, custom tools, webhook triggers, cron scheduling, and the full Python ecosystem. |
Webhook reference - potential data exfiltration
| 158 | Supported platforms: Telegram, Discord, Slack, WhatsApp, Signal, Email, SMS, Matrix, Mattermost, Home Assistant, DingTalk, Feishu, WeCom, BlueBubbles (iMessage), Weixin (WeChat), API Server, Webhooks. |
Webhook reference - potential data exfiltration
| 186 | ### Webhooks |
Webhook reference - potential data exfiltration
| 189 | hermes webhook subscribe N Create route at /webhooks/<name> |
Webhook reference - potential data exfiltration
| 190 | hermes webhook list List subscriptions |
Webhook reference - potential data exfiltration
| 191 | hermes webhook remove NAME Remove a subscription |
Webhook reference - potential data exfiltration
| 192 | hermes webhook test NAME Send a test POST |
Webhook reference - potential data exfiltration
| 196 | patterns: `skill_view(name="hermes-agent", file_path="references/webhooks.md")`. |
Access to hidden dotfiles in home directory
| 291 | /reload-skills Re-scan ~/.hermes/skills/ for added/removed skills |
Access to hidden dotfiles in home directory
| 345 | ~/.hermes/config.yaml Main configuration |
Access to hidden dotfiles in home directory
| 346 | ~/.hermes/.env API keys and secrets |
Access to hidden dotfiles in home directory
| 348 | ~/.hermes/sessions/ Gateway routing index, request dumps, *.jsonl transcripts (and optional per-session JSON snapshots when sessions.write_json_snapshots: true) |
Access to hidden dotfiles in home directory
| 349 | ~/.hermes/state.db Canonical session store (SQLite + FTS5) |
Access to hidden dotfiles in home directory
| 350 | ~/.hermes/logs/ Gateway and error logs |
Access to hidden dotfiles in home directory
| 351 | ~/.hermes/auth.json OAuth tokens and credential pools |
Access to hidden dotfiles in home directory
| 352 | ~/.hermes/hermes-agent/ Source code (if git-installed) |
Access to hidden dotfiles in home directory
| 355 | Profiles use `~/.hermes/profiles/<name>/` with the same layout. |
Access to hidden dotfiles in home directory
| 499 | Some shell-hook integrations require explicit allowlisting before they fire. Managed via `~/.hermes/shell-hooks-allowlist.json` — prompted interactively the first time a hook wants to run. |
Access to hidden dotfiles in home directory
| 680 | - **Telemetry:** sidecar at `~/.hermes/skills/.usage.json` holds |
Access to hidden dotfiles in home directory
| 840 | grep -i "failed to send\|error" ~/.hermes/logs/gateway.log | tail -20 |
Access to hidden dotfiles in home directory
| 878 | | Gateway logs | `~/.hermes/logs/gateway.log` | |
Access to hidden dotfiles in home directory
| 880 | | Source code | `~/.hermes/hermes-agent/` | |
Access to hidden dotfiles in home directory
| 911 | Config: `~/.hermes/config.yaml` (settings), `~/.hermes/.env` (API keys). |
Access to hidden dotfiles in home directory
| 941 | All handlers must return JSON strings. Use `get_hermes_home()` for paths, never hardcode `~/.hermes`. |
Access to hidden dotfiles in home directory
| 970 | - Tests auto-redirect `HERMES_HOME` to temp dirs — never touch real `~/.hermes/` |
Access to .env file
| 100 | hermes config env-path Print .env path |
Access to .env file
| 292 | /reload Reload .env variables into the running session (CLI) |
Access to .env file
| 346 | ~/.hermes/.env API keys and secrets |
Access to .env file
| 818 | 2. Some tools need env vars (check `.env`) |
Access to .env file
| 824 | 3. Check `.env` has the right API key |
Access to .env file
| 911 | Config: `~/.hermes/config.yaml` (settings), `~/.hermes/.env` (API keys). |
Access to .env file
| 1027 | - Config values go in `config.yaml`, secrets go in `.env` |
External URL reference
| 32 | **Docs:** https://hermes-agent.nousresearch.com/docs/ |
External URL reference
| 38 | curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash |
External URL reference
| 121 | hermes skills install ID Install a skill (ID can be a hub identifier OR a direct https://…/SKILL.md URL; pass --name to override when frontmatter has no name) |
External URL reference
| 160 | Platform docs: https://hermes-agent.nousresearch.com/docs/user-guide/messaging/ |
External URL reference
| 242 | authoritative list or see the [live slash commands reference](https://hermes-agent.nousresearch.com/docs/reference/slash-commands). |
External URL reference
| 375 | Full config reference: https://hermes-agent.nousresearch.com/docs/user-guide/configuration |
External URL reference
| 405 | Full provider docs: https://hermes-agent.nousresearch.com/docs/integrations/providers |
External URL reference
| 665 | User docs: https://hermes-agent.nousresearch.com/docs/user-guide/features/cron |
External URL reference
| 686 | User docs: https://hermes-agent.nousresearch.com/docs/user-guide/features/curator |
External URL reference
| 715 | User docs: https://hermes-agent.nousresearch.com/docs/user-guide/features/kanban |
External URL reference
| 866 | | Config options | `hermes config edit` or [Configuration docs](https://hermes-agent.nousresearch.com/docs/user-guide/configuration) | |
External URL reference
| 867 | | Available tools | `hermes tools list` or [Tools reference](https://hermes-agent.nousresearch.com/docs/reference/tools-reference) | |
External URL reference
| 868 | | Slash commands | `/help` in session or [Slash commands reference](https://hermes-agent.nousresearch.com/docs/reference/slash-commands) | |
External URL reference
| 869 | | Skills catalog | `hermes skills browse` or [Skills catalog](https://hermes-agent.nousresearch.com/docs/reference/skills-catalog) | |
External URL reference
| 870 | | Provider setup | `hermes model` or [Providers guide](https://hermes-agent.nousresearch.com/docs/integrations/providers) | |
External URL reference
| 871 | | Platform setup | `hermes gateway setup` or [Messaging docs](https://hermes-agent.nousresearch.com/docs/user-guide/messaging/) | |
External URL reference
| 872 | | MCP servers | `hermes mcp list` or [MCP guide](https://hermes-agent.nousresearch.com/docs/user-guide/features/mcp) | |
External URL reference
| 873 | | Profiles | `hermes profile list` or [Profiles docs](https://hermes-agent.nousresearch.com/docs/user-guide/profiles) | |
External URL reference
| 874 | | Cron jobs | `hermes cron list` or [Cron docs](https://hermes-agent.nousresearch.com/docs/user-guide/features/cron) | |
External URL reference
| 875 | | Memory | `hermes memory status` or [Memory docs](https://hermes-agent.nousresearch.com/docs/user-guide/features/memory) | |
External URL reference
| 876 | | Env variables | `hermes config env-path` or [Env vars reference](https://hermes-agent.nousresearch.com/docs/reference/environment-variables) | |
External URL reference
| 877 | | CLI commands | `hermes --help` or [CLI reference](https://hermes-agent.nousresearch.com/docs/reference/cli-commands) | |
External URL reference
| 886 | For occasional contributors and PR authors. Full developer docs: https://hermes-agent.nousresearch.com/docs/developer-guide/ |