mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-08 08:11:38 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

fix: harden skill trust source matching (#31229)

Browse source 
Co-authored-by: gaia <gaia@gaia.local>
This commit is contained in:
Jorge Fuenmayor 2026-05-25 03:51:15 -05:00 committed by GitHub
parent 2d422720b5
commit 93660643a6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 78 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tools/skills_guard.py
View file

@ -917,12 +917,14 @@ def _resolve_trust_level(source: str) -> str:
# Agent-created skills get their own permissive trust level
if normalized_source == "agent-created":
return "agent-created"
# Official optional skills shipped with the repo
if normalized_source.startswith("official/") or normalized_source == "official":
# Official optional skills must be identified by source provenance, not by
# user-controlled GitHub identifiers such as "official/<repo>".
if normalized_source == "official":
return "builtin"
# Check if source matches any trusted repo
# Check if source matches any trusted repo exactly, or a skill path inside
# that repo. Do not trust sibling repositories that merely share a prefix.
for trusted in TRUSTED_REPOS:
if normalized_source.startswith(trusted) or normalized_source == trusted:
if normalized_source == trusted or normalized_source.startswith(f"{trusted}/"):
return "trusted"
return "community"