Summary
The read_file tool in tools/file_tools.py (lines ~309-326) has path guards for .hermes/ internal paths, but these guards only block reading Skills Hub metadata. They do not block reading ~/.hermes/auth.json (which contains all OAuth tokens and API keys) or ~/.hermes/mcp-tokens/ (which contains MCP OAuth tokens).
Impact
The LLM can directly read credentials by calling read_file("~/.hermes/auth.json"). Combined with the code execution sandbox's PYTHONPATH access, this provides multiple paths to credential theft.
The redact_sensitive_text() function in agent/redact.py is applied to file read output, but it uses regex pattern matching for known API key prefixes. OAuth tokens (which don't match known patterns like sk-, ghp_, AKIA) pass through unredacted.
Suggested Fix
Add auth.json, mcp-tokens/, and .env to the file_tools sensitive path blocklist:
SENSITIVE_PATHS = [
"~/.hermes/auth.json",
"~/.hermes/mcp-tokens/",
"~/.hermes/.env",
]Severity
Warning — credential exposure via direct file read.
Summary
The
read_filetool intools/file_tools.py(lines ~309-326) has path guards for.hermes/internal paths, but these guards only block reading Skills Hub metadata. They do not block reading~/.hermes/auth.json(which contains all OAuth tokens and API keys) or~/.hermes/mcp-tokens/(which contains MCP OAuth tokens).Impact
The LLM can directly read credentials by calling
read_file("~/.hermes/auth.json"). Combined with the code execution sandbox's PYTHONPATH access, this provides multiple paths to credential theft.The
redact_sensitive_text()function inagent/redact.pyis applied to file read output, but it uses regex pattern matching for known API key prefixes. OAuth tokens (which don't match known patterns likesk-,ghp_,AKIA) pass through unredacted.Suggested Fix
Add
auth.json,mcp-tokens/, and.envto the file_tools sensitive path blocklist:Severity
Warning — credential exposure via direct file read.