NousResearch Hermes-Agent Prompt Injection Filter Bypass Vulnerability

A prompt injection filter bypass vulnerability has been identified in NousResearch Hermes-Agent versions through 2026.4.30. The issue resides in the skills management functionality, specifically within the tools/skills_tool.py file. The vulnerability allows for injection attacks that can be executed remotely, by exploiting the filter's reliance on naive exact-string matching to detect malicious content in user-installed skills. This flaw enables crafted prompt injection payloads to pass undetected into the LLM agent context, potentially allowing attackers to manipulate the agent's behavior or extract sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized prompt injection into the LLM agent's context, bypassing existing security filters. This could allow attackers to gain control over the agent's responses and behavior, potentially overriding safety constraints, accessing sensitive data, executing commands through the agent's shell tool, or manipulating the end user via crafted agent responses.

Reproduction

The vulnerability can be reproduced by creating a malicious skill that includes a prompt injection payload with extra words or synonyms, and then loading this skill through the 'skill_view()' function. The injection filter will fail to detect the payload, allowing it to be injected into the LLM agent's context.