Hermes installation blocked

[kylehagler]

Summary

Trying to install last30days in hermes agent via: hermes skills install mvanhorn/last30days-skill --force

Decision: BLOCKED — Blocked (community source + dangerous verdict, 56 findings). --force does not override a dangerous verdict.

Installation blocked: Blocked (community source + dangerous verdict, 56 findings). --force does not override a dangerous verdict.

Steps to Reproduce

1. Install and setup hermes on VPS
2. Run hermes skills install mvanhorn/last30days-skill --force

Expected Behavior

Skill installs successfully and can be used for research tasks

Error / Traceback

hermes@ubuntu-8gb-hil-1:~$ hermes skills install mvanhorn/last30days-skill --force

Fetching: mvanhorn/last30days-skill
Quarantined to .hub/quarantine/last30days-skill
Running security scan...
Scan: last30days-skill (last30days-skill/community)  Verdict: DANGEROUS
  CRITICAL exfiltration   SKILL-original.md:67           "cat > ~/.config/last30days/.env << 'ENVEOF'"
  CRITICAL exfiltration   README.md:27                   "cat > ~/.config/last30days/.env << 'EOF'"
  CRITICAL persistence    README.md:434                  "**Key insight from Reddit:** Keep CLAUDE.md short (~1K conte"
  CRITICAL persistence    README.md:677                  "> The Cursor community has converged on clear best practices"
  CRITICAL persistence    README.md:680                  "1. Use .cursor/rules/ directory - Multiple .mdc files beat o"
  CRITICAL exfiltration   scripts/lib/env.py:43          "env = value"
  CRITICAL exfiltration   scripts/lib/vendor/bird-search/lib/cookies.js:28 "const value = normalizeValue(process.env);"
  CRITICAL persistence    docs/plans/2026-02-14-feat-codex-skill-compatibility-plan.md:230 "- [AGENTS.md Guide](https://developers.openai.com/codex/guid"
  HIGH     injection      SKILL.md:455                   "**CRITICAL: After research is complete, you are now an EXPER"
  HIGH     privilege_escalation SKILL.md:6                     "allowed-tools: Bash, Read, Write, AskUserQuestion, WebSearch"
  HIGH     injection      SKILL-original.md:357          "**CRITICAL: After research is complete, you are now an EXPER"
  HIGH     privilege_escalation SKILL-original.md:8            "allowed-tools: Bash, Read, Write, AskUserQuestion, WebSearch"
  HIGH     privilege_escalation variants/open/SKILL.md:6       "allowed-tools: Bash, Read, Write, AskUserQuestion, WebSearch"
  HIGH     exfiltration   scripts/last30days.py:839      "os.environ["LAST30DAYS_DEBUG"] = "1""
  HIGH     exfiltration   scripts/lib/env.py:11          "_config_override = os.environ.get('LAST30DAYS_CONFIG_DIR')"
  HIGH     exfiltration   scripts/lib/env.py:67          "config = os.environ.get(key) or file_env.get(key, defau"
  HIGH     exfiltration   scripts/lib/http.py:13         "DEBUG = os.environ.get("LAST30DAYS_DEBUG", "").lower() in (""
  HIGH     exfiltration   scripts/lib/render.py:17       "env_dir = os.environ.get("LAST30DAYS_OUTPUT_DIR")"
  HIGH     exfiltration   scripts/lib/cache.py:20        "env_dir = os.environ.get("LAST30DAYS_CACHE_DIR")"
  HIGH     exfiltration   scripts/lib/vendor/bird-search/lib/cookies.js:28 "const value = normalizeValue(process.env);"
  HIGH     privilege_escalation docs/plans/2026-02-06-fix-skill-execution-fork-mode-plan.md:59 "allowed-tools: Bash, Read, Write, AskUserQuestion, WebSearch"
  HIGH     privilege_escalation docs/plans/2026-02-06-fix-skill-execution-fork-mode-plan.md:69 "allowed-tools: Bash, Read, Write, AskUserQuestion, WebSearch"
  HIGH     exfiltration   docs/plans/2026-02-06-fix-skill-execution-fork-mode-plan.md:16 "- The user saw acknowledgment text (output inline to convers"
  HIGH     exfiltration   docs/plans/2026-02-06-feat-last30days-bird-cli-release-plan.md:259 "| 3 | Restore | Reinstall bird + restore .env | Full mode re"
  HIGH     privilege_escalation docs/plans/2026-02-14-feat-codex-skill-compatibility-plan.md:71 "allowed-tools: Bash, Read, Write, AskUserQuestion, WebSearch"
  MEDIUM   structural     (directory):0                  "89 files"
  MEDIUM   supply_chain   release-notes.md:67            "git clone https://github.com/mvanhorn/last30days-skill.git ~"
  MEDIUM   supply_chain   release-notes.md:70            "git clone https://github.com/mvanhorn/last30days-skill.git ~"
  MEDIUM   supply_chain   README.md:858                  "- **yt-dlp** (optional) - For YouTube search + transcript ex"
  MEDIUM   supply_chain   README.md:23                   "git clone https://github.com/mvanhorn/last30days-skill.git ~"
  MEDIUM   supply_chain   README.md:62                   "git clone https://github.com/mvanhorn/last30days-skill.git ~"
  MEDIUM   supply_chain   README.md:387                  "git clone https://github.com/clawdbot/clawdbot.git"
  MEDIUM   persistence    variants/open/references/watchlist.md:92 "crontab -e"
  MEDIUM   persistence    variants/open/references/watchlist.md:98 "crontab -e"
  MEDIUM   execution      scripts/watchlist.py:142       "result = subprocess.run("
  MEDIUM   execution      scripts/lib/youtube_yt.py:128  "proc = subprocess.Popen("
  MEDIUM   execution      scripts/lib/youtube_yt.py:250  "proc = subprocess.Popen("
  MEDIUM   execution      scripts/lib/bird_x.py:110      "result = subprocess.run("
  MEDIUM   execution      scripts/lib/bird_x.py:184      "proc = subprocess.Popen("
  MEDIUM   execution      scripts/lib/bird_x.py:310      "proc = subprocess.Popen("
  MEDIUM   execution      docs/plans/2026-02-07-feat-bundle-bird-x-search-plan.md:11 "Replace the `subprocess.run(["bird", "search", ...])` depend"
  MEDIUM   execution      docs/plans/2026-02-07-feat-bundle-bird-x-search-plan.md:25 "**Vendor Bird's search-only subset as a Node.js module insid"
  MEDIUM   execution      docs/plans/2026-02-07-feat-bundle-bird-x-search-plan.md:29 "- Replace `subprocess.run(["bird", "search", ...])` with `su"
  MEDIUM   supply_chain   docs/plans/2026-02-07-feat-bundle-bird-x-search-plan.md:11 "Replace the `subprocess.run(["bird", "search", ...])` depend"
  MEDIUM   supply_chain   docs/plans/2026-02-07-feat-bundle-bird-x-search-plan.md:18 "- New users can't `npm install -g @steipete/bird`"
  MEDIUM   supply_chain   docs/plans/2026-02-07-feat-bundle-bird-x-search-plan.md:162 "- [ ] No `npm install -g @steipete/bird` required anywhere"
  MEDIUM   execution      docs/plans/2026-02-14-feat-youtube-transcript-search-plan.md:80 "result = subprocess.run(cmd, capture_output=True, text=True,"
  MEDIUM   execution      docs/plans/2026-02-14-feat-youtube-transcript-search-plan.md:123 "subprocess.run(cmd, capture_output=True, text=True, timeout="
  MEDIUM   persistence    docs/plans/2026-02-14-feat-merge-openclaw-variant-plan.md:182 "| watchlist.py depends on OpenClaw cron API | High | Known —"
  MEDIUM   supply_chain   docs/plans/2026-02-14-feat-merge-openclaw-variant-plan.md:116 "git clone https://github.com/mvanhorn/last30days-skill.git ~"
  MEDIUM   supply_chain   docs/plans/2026-02-14-feat-merge-openclaw-variant-plan.md:119 "git clone https://github.com/mvanhorn/last30days-skill.git ~"
  MEDIUM   supply_chain   docs/plans/2026-02-03-bird-cli-integration-design.md:23 "│        ├─ Yes → Run `npm install -g @steipete/bird`"
  MEDIUM   supply_chain   docs/plans/2026-02-03-bird-cli-integration-design.md:43 "- `install_bird()` → runs `npm install -g @steipete/bird`, r"
  MEDIUM   execution      docs/plans/2026-02-03-bird-cli-implementation.md:52 "result = subprocess.run("
  MEDIUM   execution      docs/plans/2026-02-03-bird-cli-implementation.md:106 "result = subprocess.run("
  MEDIUM   execution      docs/plans/2026-02-03-bird-cli-implementation.md:207 "result = subprocess.run("

Decision: BLOCKED — Blocked (community source + dangerous verdict, 56 findings). --force does not override a dangerous verdict.

Installation blocked: Blocked (community source + dangerous verdict, 56 findings). --force does not override a dangerous verdict.

Install Method

Claude Code plugin

OS

Ubuntu 26.04

[mvanhorn]

Thanks for the detailed report, Kyle - the full scan output is really helpful.

Good news: I went through all 56 findings and none of them are real. This is the scanner pattern-matching on benign code. A few representative examples:

• allowed-tools: Bash, Read, Write, ... (flagged HIGH privilege_escalation) is the required SKILL.md frontmatter that the Claude/Agent skill spec mandates. Every compliant skill declares it - there's no way to author a skill without it.
• The os.environ.get(...) lines (flagged exfiltration) just read local config like LAST30DAYS_CONFIG_DIR. Reading an env var is the opposite of exfiltrating one - nothing is sent anywhere.
• cat > ~/.config/last30days/.env (flagged CRITICAL exfiltration) is a setup doc telling you to write your own API keys into your own local config file. It writes in, it doesn't send out.
• "Keep CLAUDE.md short" and "you are now an EXPERT..." (flagged persistence/injection) are prose and the skill's own prompt text.

There is one legitimate thing on my side: the install path scans dev artifacts that shouldn't ship with an installed skill - SKILL-original.md, docs/plans/, release-notes.md. My .clawhubignore already excludes these from the ClawHub bundle, but the Hermes installer clones raw GitHub and doesn't honor it. I'll open a PR to trim those so they stop showing up in scans.

That said, trimming won't flip the verdict on its own. The remaining flags (the allowed-tools frontmatter, env-var reads, the local .env setup snippet) are intrinsic to any working skill, so the DANGEROUS verdict will persist until the scanner side can distinguish these patterns. Two things that would help on the Hermes end:

1. Honor a skill-provided ignore file (or .clawhubignore) so dev/docs artifacts aren't scanned.
2. Severity tuning so required frontmatter and os.environ.get config reads aren't CRITICAL/HIGH, or a trust/attested-source path for known publishers.

Happy to provide a minimal file manifest of exactly what an install needs if that's useful for testing. Appreciate you surfacing this.

[mvanhorn]

Cleanup PR is up: #465 - it drops the dev artifacts (SKILL-original.md, docs/plans/, docs/test-results/, release-notes.md) so they stop tripping the scanner. That removes about half the findings, including 2 of the 8 criticals. The rest are the intrinsic ones (required allowed-tools frontmatter, env-var config reads, the local .env setup snippet) that'll need scanner-side handling. Offer stands to share a minimal install manifest if it helps you test a trust path.

[teknium1]

Thanks both — @kylehagler for the full scan dump and @mvanhorn for the per-finding triage.

I went through the scanner side. Three of the patterns you flagged were genuine false positives, and those are fixed on main now (NousResearch/hermes-agent#36231):

• read_secrets_file — no longer matches cat > file.env << heredocs (writing your own keys into your own local config). cat file.env reads stay flagged.
• allowed-tools: frontmatter — was HIGH privilege_escalation, now LOW/informational. It's required by the skill spec, so it no longer drives the verdict.
• os.environ — os.environ.get("CONFIG_VAR") config reads are now clean. Secret-named reads (os.environ.get("API_KEY") etc.) are still flagged CRITICAL via a dedicated pattern.

Also added: the scanner now honors a skill-provided .skillignore / .clawhubignore (gitignore-style), so dev/docs artifacts shipped at a skill's root are excluded from both structural checks and pattern scanning. SKILL.md itself can never be ignored.

One honest caveat after E2E-scanning the actual install target (skills/last30days/, old vs new scanner): these fixes do not flip last30days to installable on their own. The remaining verdict is driven by content that is genuinely the shape the scanner watches for — secret-named env reads (OPENAI_API_KEY, GITHUB_TOKEN, SCRAPE_CREATORS_API_KEY), vendored JS reading process.env[key], os.environ.copy(), and an oversized skill dir. A regex static scanner can't distinguish "reads OPENAI_API_KEY to call OpenAI" from "reads it to ship it elsewhere," so those stay flagged by design.

Two notes on the .clawhubignore angle specifically: the Hermes installer scans the skill subdirectory that contains SKILL.md (here skills/last30days/), not the repo root — so the root-level .clawhubignore and the artifacts it excludes (SKILL-original.md, docs/plans/, release-notes.md) were never in the install scan to begin with. If you want the ignore behavior to apply, a .skillignore/.clawhubignore inside skills/last30days/ will now be honored.

Properly unblocking a skill that legitimately needs secret-named env reads is a separate piece of work on our end — a trust/attested-source path for known publishers. That's tracked separately; this PR was the scanner-correctness pass.