fix(cron): skip security scan for user-created skill content#23470
Closed
algojogacor wants to merge 1 commit into
Closed
fix(cron): skip security scan for user-created skill content#23470algojogacor wants to merge 1 commit into
algojogacor wants to merge 1 commit into
Conversation
Skills from ~/.hermes/skills/ are user-created and trusted. They commonly contain educational code examples (e.g., github-auth with curl $GITHUB_TOKEN) that trigger exfil_curl/read_secrets false positives when loaded by cron jobs. Fix: only scan the user-supplied prompt for threats when all loaded skills are from the user's own skills directory. External/plugin skill content continues to be scanned. Closes the false-positive gap introduced by the #3968 fix (_scan_assembled_cron_prompt) without reopening the original injection vector.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cron jobs that load user-created skills fail with false-positive security blocks. Skills from
~/.hermes/skills/commonly contain educational code examples (e.g.,github-authdocumentingcurlwith$GITHUB_TOKEN) that trigger theexfil_curlandread_secretsthreat patterns.Root Cause
_build_job_promptassembles the user prompt + loaded skill content into one string, then calls_scan_assembled_cron_prompt(introduced by #3968) which scans the entire result. User-created skills with code snippets match threat regex patterns that were designed for malicious user input — not for trusted skill documentation.Fix
Before scanning, check if all loaded skills reside under
~/.hermes/skills/(the user's own skills directory). If yes, only scan the user-supplied prompt for threats — skill content is trusted. If any skill is from an external/plugin source, scan the full assembled prompt (preserving the #3968 protection).Testing
Related