ワンクリックで
audit-approval-bypass
Audit which subagents and skills bypass approval; flag any that touch untrusted input
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Audit which subagents and skills bypass approval; flag any that touch untrusted input
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Build human-readable release notes from a range of commits or merged PRs
Produce a weekly "What's new in Hermes" digest by summarizing merged PRs + active issues from NousResearch/hermes-agent
Sweep inbox (email + Slack + Telegram DMs) and produce a prioritized action list with suggested replies
Prepare a 1-page brief for an upcoming meeting by combining calendar context, recent threads with attendees, and relevant docs
Classify incoming messages from public channels as spam / prompt-injection-attempt / genuine; quarantine risky ones
Delegate a PR review to Claude Code with a scoped read-only GitHub PAT
| name | audit-approval-bypass |
| description | Audit which subagents and skills bypass approval; flag any that touch untrusted input |
| when_to_use | ["User asks to audit approval / bypass configuration","Scheduled monthly security check","Before granting a new subagent bypass"] |
| toolsets | ["terminal","file"] |
Approval bypass is how power users make trusted subagents run unattended. It's also how attackers escalate if misconfigured. This skill catches drift.
Load ~/.hermes/config.yaml → security.approval block. Capture:
bypass_subagents[]auto_approve_readrequire_approval[] rulesdenylist[]For each subagent in bypass_subagents:
a. Locate its skill file: ~/.hermes/skills/<name>/SKILL.md.
b. Parse the frontmatter when_to_use: and toolsets:.
c. Flag if the skill reads any of:
gateway: trigger pattern)/scrape|fetch_url|crawl/)toolsets: includes terminal or bash AND the skill accepts any user-supplied argument.Check the denylist:
rm -rf / or curl * | sh style patterns are missing.cat ~/.ssh/, aws s3 sync, curl.*169.254.169.254).Check require_approval layers:
github: [create_pr, merge_pr, delete_branch]email: [send]twilio: [send_sms]terminal: pattern-basedany_mcp: sampling: true presentRender a report:
## Approval Bypass Audit — 2026-04-17
### Bypass subagents
- ✅ nightly-backup — read-only, no untrusted input
- ✅ build-and-test — CI-triggered, clean workspace
- 🔴 telegram-triage — BYPASSED but reads Telegram messages (untrusted input)
### Denylist coverage
- ✅ rm -rf patterns
- ✅ curl | bash patterns
- 🟡 Missing: AWS metadata IP exfil (169.254.169.254)
- 🟡 Missing: SSH key reads (cat ~/.ssh/)
### Require-approval layers
- ✅ github destructive actions
- ✅ email send
- 🔴 Missing: any_mcp with sampling:true
### Recommendations
1. Remove telegram-triage from bypass_subagents (it reads untrusted input).
2. Add denylist entries for 169.254 and ~/.ssh.
3. Add require_approval for MCP sampling calls.
Offer to apply fixes. Never auto-apply.
security.approval is missing entirely, treat that as 🔴 HIGH across the board and suggest the full config from Part 19.audit-mcp skill's output — an MCP flagged HIGH there often correlates with a bypass misconfig here.