بنقرة واحدة
audit-approval-bypass
Audit which subagents and skills bypass approval; flag any that touch untrusted input
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Audit which subagents and skills bypass approval; flag any that touch untrusted input
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
Build human-readable release notes from a range of commits or merged PRs
Produce a weekly "What's new in Hermes" digest by summarizing merged PRs + active issues from NousResearch/hermes-agent
Sweep inbox (email + Slack + Telegram DMs) and produce a prioritized action list with suggested replies
Prepare a 1-page brief for an upcoming meeting by combining calendar context, recent threads with attendees, and relevant docs
Classify incoming messages from public channels as spam / prompt-injection-attempt / genuine; quarantine risky ones
Delegate a PR review to Claude Code with a scoped read-only GitHub PAT
استنادا إلى تصنيف SOC المهني
| name | audit-approval-bypass |
| description | Audit which subagents and skills bypass approval; flag any that touch untrusted input |
| when_to_use | ["User asks to audit approval / bypass configuration","Scheduled monthly security check","Before granting a new subagent bypass"] |
| toolsets | ["terminal","file"] |
Approval bypass is how power users make trusted subagents run unattended. It's also how attackers escalate if misconfigured. This skill catches drift.
Load ~/.hermes/config.yaml → security.approval block. Capture:
bypass_subagents[]auto_approve_readrequire_approval[] rulesdenylist[]For each subagent in bypass_subagents:
a. Locate its skill file: ~/.hermes/skills/<name>/SKILL.md.
b. Parse the frontmatter when_to_use: and toolsets:.
c. Flag if the skill reads any of:
gateway: trigger pattern)/scrape|fetch_url|crawl/)toolsets: includes terminal or bash AND the skill accepts any user-supplied argument.Check the denylist:
rm -rf / or curl * | sh style patterns are missing.cat ~/.ssh/, aws s3 sync, curl.*169.254.169.254).Check require_approval layers:
github: [create_pr, merge_pr, delete_branch]email: [send]twilio: [send_sms]terminal: pattern-basedany_mcp: sampling: true presentRender a report:
## Approval Bypass Audit — 2026-04-17
### Bypass subagents
- ✅ nightly-backup — read-only, no untrusted input
- ✅ build-and-test — CI-triggered, clean workspace
- 🔴 telegram-triage — BYPASSED but reads Telegram messages (untrusted input)
### Denylist coverage
- ✅ rm -rf patterns
- ✅ curl | bash patterns
- 🟡 Missing: AWS metadata IP exfil (169.254.169.254)
- 🟡 Missing: SSH key reads (cat ~/.ssh/)
### Require-approval layers
- ✅ github destructive actions
- ✅ email send
- 🔴 Missing: any_mcp with sampling:true
### Recommendations
1. Remove telegram-triage from bypass_subagents (it reads untrusted input).
2. Add denylist entries for 169.254 and ~/.ssh.
3. Add require_approval for MCP sampling calls.
Offer to apply fixes. Never auto-apply.
security.approval is missing entirely, treat that as 🔴 HIGH across the board and suggest the full config from Part 19.audit-mcp skill's output — an MCP flagged HIGH there often correlates with a bypass misconfig here.