NousResearch hermes-agent Skills Guard Multi-Word Prompt Injection Bypass Vulnerability

A critical prompt injection vulnerability has been identified in NousResearch hermes-agent versions through 2026.4.23. The issue resides in the Skills Guard Multi-Word Prompt Handler, specifically within the file agent/skills_guard.py. The vulnerability allows remote exploitation by manipulating the THREAT_PATTERNS argument, leading to injection that bypasses critical detection filters. This could enable the installation of malicious skills that alter the AI agent's core behaviors.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of the AI agent's execution logic by bypassing a critical severity check. This could result in the installation of a malicious skill that is loaded into the system prompt for all future sessions, potentially instructing the agent to perform harmful actions or override policies without the user's awareness.

Reproduction

The vulnerability can be reproduced by enabling the community skills installation feature or by passing an untrusted skill definition to the skills_guard.py mechanism. Once these conditions are met, the injection bypass can be achieved by inserting extra words into the payload, circumventing the rigid regular expression patterns that are supposed to block such injections.