NousResearch hermes-agent Skills Guard Multi-Word Prompt skills_guard.py injection

Vulnerability

A prompt injection vulnerability exists in the skills_guard.py component of NousResearch hermes-agent up to version 2026.4.23. The THREAT_PATTERNS list uses rigid regular expressions for certain critical patterns (e.g., r'system\s+prompt\s+override' and r'new\s+policy') that do not allow arbitrary word insertions between keywords, unlike two other patterns that were hardened in commit 4ea29978 [1]. Affected versions: all versions up to and including 2026.4.23 [1].

Exploitation

An attacker must have the ability to supply an untrusted skill definition to the skills_guard.py mechanism, which requires the community skills installation feature to be enabled [1]. The attacker can bypass the rigid patterns by injecting extra words between the critical keywords, for example using system prompt temporary override instead of system prompt override. The Python re module fails to match the unsanitized input [1]. The proof-of-concept script is publicly available [1].

Impact

Successful exploitation allows the attacker to bypass critical severity filters, including the filter for system prompt override, enabling the installation of malicious skills into the workspace that can modify the agent's core behaviors. This constitutes a breach of integrity and confidentiality, potentially leading to arbitrary code execution or data exfiltration depending on the installed skill's capabilities [1].

Mitigation

As of the publication date (2026-05-24), the vendor was contacted but did not respond [1]. No official patch has been released [1]. The commit 4ea29978 partially addressed similar patterns but explicitly omitted the two vulnerable patterns; users should monitor for a future commit or release that extends flexible matching to the remaining patterns, or disable the community skills installation feature if not required [1].