hermai

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs agents to ask users to paste cookies and to include API keys/tokens (e.g., Authorization or Cookie headers) verbatim in generated requests/commands, which requires the LLM to handle and output secret values directly, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill (SKILL.md and the CLI/API docs such as references/cli.md and references/api.md) explicitly fetches and inspects arbitrary public websites via commands like hermai detect/probe/intercept/discover/registry pull/fetch and even ingests and executes captured site JavaScript via schema runtime.signer_js/bootstrap_js (references/runtime.md), so it consumes untrusted, user-generated third‑party web content which the agent must read and which can materially change signing, request construction, and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly documents that its runtime bootstrap can fetch live site bundles (e.g. https://abs.twimg.com/responsive-web/client-web/main..js) during execution to extract bearers/signers that are then used/executed by the schema's signer/bootstrap code to compute per-request headers, so a remote URL is fetched at runtime and its content directly controls execution/signing.