Summary
The code execution sandbox (tools/code_execution_tool.py) adds the hermes root directory to PYTHONPATH, allowing sandboxed scripts to import any hermes internal module. This enables credential theft without triggering any security checks.
Impact
A prompt-injected execute_code task can:
import hermes_cli.auth → read all OAuth tokens from ~/.hermes/auth.jsonimport agent.credential_pool → iterate over all API keysimport tools.approval → call approve_session() / approve_permanent() to whitelist dangerous command patternsimport tools.terminal_tool → execute commands with force=True
The existing env var filtering (lines ~989-1009) blocks SECRET-like variable names from the subprocess environment, but this is irrelevant when the script can read credentials directly from disk via imported modules.
Attack chain: Combined with the non-interactive auto-approve behavior (approval.py:617 — already reported in #7826 M1), this enables silent credential exfiltration with zero user approval: a malicious MCP tool response, skill, or web page content injects instructions → LLM calls execute_code → sandbox script imports hermes internals → reads auth.json → exfiltrates via subprocess.
Steps to Reproduce
- Start hermes in any non-interactive context (cron, batch, subagent)
- Inject a prompt that triggers
execute_code with:
import json
from pathlib import Path
auth = json.loads((Path.home() / ".hermes" / "auth.json").read_text())
print(auth) # or exfiltrate via requests
- The script executes successfully, returning all stored credentials
Suggested Fix
Remove the hermes root from PYTHONPATH in the sandbox subprocess. Provide a minimal, pre-approved set of importable modules via a virtual environment or import hook. At minimum, add an __init__.py-level import guard that blocks imports of hermes_cli, agent, tools, and gateway packages when running inside the sandbox context.
Severity
Critical — enables remote credential theft via prompt injection with no user interaction required.
Summary
The code execution sandbox (
tools/code_execution_tool.py) adds the hermes root directory toPYTHONPATH, allowing sandboxed scripts to import any hermes internal module. This enables credential theft without triggering any security checks.Impact
A prompt-injected
execute_codetask can:import hermes_cli.auth→ read all OAuth tokens from~/.hermes/auth.jsonimport agent.credential_pool→ iterate over all API keysimport tools.approval→ callapprove_session()/approve_permanent()to whitelist dangerous command patternsimport tools.terminal_tool→ execute commands withforce=TrueThe existing env var filtering (lines ~989-1009) blocks
SECRET-like variable names from the subprocess environment, but this is irrelevant when the script can read credentials directly from disk via imported modules.Attack chain: Combined with the non-interactive auto-approve behavior (
approval.py:617— already reported in #7826 M1), this enables silent credential exfiltration with zero user approval: a malicious MCP tool response, skill, or web page content injects instructions → LLM callsexecute_code→ sandbox script imports hermes internals → reads auth.json → exfiltrates via subprocess.Steps to Reproduce
execute_codewith:Suggested Fix
Remove the hermes root from
PYTHONPATHin the sandbox subprocess. Provide a minimal, pre-approved set of importable modules via a virtual environment or import hook. At minimum, add an__init__.py-level import guard that blocks imports ofhermes_cli,agent,tools, andgatewaypackages when running inside the sandbox context.Severity
Critical — enables remote credential theft via prompt injection with no user interaction required.