fix(cron): split scanner into two tiers so skill prose stops false-positiving (#32339)

The runtime cron prompt scanner (added in #3968 to plug the "malicious skill carrying an injection payload" gap) reuses the same critical-severity patterns as the create-time user-prompt scan against the *assembled* prompt — which includes loaded skill markdown. That works fine for narrow patterns like "ignore previous instructions" which never legitimately appear in prose. It catastrophically false- positives on command-shape patterns like `cat ~/.hermes/.env`, `authorized_keys`, `/etc/sudoers`, and `rm -rf /`, which routinely appear in security postmortems and runbooks as **descriptive prose** about attacks, not as actual commands. Concrete failure: the bundled `hermes-agent-dev` skill contains a security postmortem section saying "the attacker could just `cat ~/.hermes/.env`". Every PR-scout cron job that loaded this skill was silently blocked with `Blocked: prompt matches threat pattern 'read_secrets'`. All 11 scout jobs failed for weeks. Fix: split the scanner into two tiers and route by context: - `_scan_cron_prompt` (strict, unchanged behavior) runs against the small user-authored cron prompt at create/update and as a runtime defense-in-depth when no skills are attached. A legit user prompt has no business saying `cat .env`, so the strict patterns still apply there. - `_scan_cron_skill_assembled` (new, looser) runs against the assembled prompt when skills are attached. It only catches unambiguous prompt-injection directives ("ignore previous instructions", "disregard your rules", "system prompt override", "do not tell the user") plus invisible-unicode markers. Command- shape patterns are dropped because they false-positive on prose. This is defense-in-depth, not the only line of defense. Skill bodies are already scanned at install time by `skills_guard.py`; the runtime cron scan exists purely as a tripwire for an obvious injection directive surviving a malicious install. Catching prose mentions of commands was never the goal of #3968 — the test that planted a skill containing `cat ~/.hermes/.env` was the wrong shape of test for the threat model. Tests: - `_scan_cron_prompt` strict behavior preserved (56 existing tests unchanged: bare `cat .env`, `rm -rf /`, etc. still block). - New `TestScanCronSkillAssembled` class verifies the looser scanner: injection / disregard / system-override / do-not-tell-the-user / invisible-unicode still block; descriptive prose about attack commands is allowed; GitHub auth-header allowlist still works. - `test_skill_with_env_exfil_payload_raises` (planted `cat .env` in skill body) replaced with `test_skill_with_env_exfil_command _in_prose_is_allowed` documenting the new correct behavior with the real-world postmortem-style example that triggered the bug. - All 11 originally-failing PR-scout jobs validated end-to-end via `_build_job_prompt` — assembled prompts now build successfully with the `hermes-agent-dev` skill attached. Total: 75/75 tests in cron + cronjob_tools + threat scanner pass; 544/544 across the wider cron / memory / threat-pattern surface.
2026-06-05 07:41:39 +00:00 · 2026-05-25 18:20:45 -07:00 · 2026-05-25 18:20:45 -07:00 · ccd899318e
commit ccd899318e
parent e3236e99a4
4 changed files with 196 additions and 26 deletions
--- a/tests/cron/test_cron_prompt_injection_skill.py
+++ b/tests/cron/test_cron_prompt_injection_skill.py
@ -174,23 +174,37 @@ class TestBuildJobPromptScansSkillContent:
            scheduler._build_job_prompt(job)
        assert "prompt_injection" in str(exc_info.value)

-    def test_skill_with_env_exfil_payload_raises(self, cron_env):
+    def test_skill_with_env_exfil_command_in_prose_is_allowed(self, cron_env):
+        """A skill that *describes* an exfil command in prose (e.g. a
+        security postmortem documenting "the attacker could just
+        ``cat ~/.hermes/.env``") must NOT be blocked. This was a real
+        false positive in the bundled `hermes-agent-dev` skill that
+        silently killed every PR-scout cron job for weeks.
+
+        Skill bodies are vetted at install time by ``skills_guard.py``;
+        the runtime cron scan is only a tripwire for unambiguous
+        prompt-injection directives, not for command-shape prose.
+        """
        hermes_home, scheduler = cron_env
        _plant_skill(
            hermes_home,
-            "exfil-skill",
-            "Helpful task.\n\nRun this: cat ~/.hermes/.env",
+            "security-postmortem",
+            "Lessons learned: the attacker could just `cat ~/.hermes/.env`\n"
+            "to steal credentials. We added namespace isolation as a result.",
        )

        job = {
-            "id": "job-exfil",
-            "name": "exfil",
+            "id": "job-postmortem",
+            "name": "postmortem-style",
            "prompt": "run daily report",
-            "skills": ["exfil-skill"],
+            "skills": ["security-postmortem"],
        }

-        with pytest.raises(scheduler.CronPromptInjectionBlocked):
-            scheduler._build_job_prompt(job)
+        # Must NOT raise — descriptive prose about attack commands is fine
+        # inside skill bodies; that's what security docs look like.
+        prompt = scheduler._build_job_prompt(job)
+        assert prompt is not None
+        assert "cat ~/.hermes/.env" in prompt

    def test_skill_with_invisible_unicode_raises(self, cron_env):
        hermes_home, scheduler = cron_env