From e4a1220f83d9de36ce5be5ef43afae8166ae1d9e Mon Sep 17 00:00:00 2001
From: Teknium <127238744+teknium1@users.noreply.github.com>
Date: Sun, 24 May 2026 04:24:54 -0700
Subject: [PATCH] security: restrict default webhook toolset capabilities
 (#30745)

---
 toolsets.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/toolsets.py b/toolsets.py
index 5de07e4c7a1..bab7677887a 100644
--- a/toolsets.py
+++ b/toolsets.py
@@ -72,6 +72,16 @@ _HERMES_CORE_TOOLS = [
     "computer_use",
 ]
 
+# Webhook events may originate from untrusted third-party content (for example,
+# public PR titles/comments). Keep the default webhook toolset intentionally
+# constrained to avoid local file/system execution by prompt injection.
+_HERMES_WEBHOOK_SAFE_TOOLS = [
+    "web_search",
+    "web_extract",
+    "vision_analyze",
+    "clarify",
+]
+
 
 # Core toolset definitions
 # These can include individual tools or reference other toolsets
@@ -523,7 +533,7 @@ TOOLSETS = {
 
     "hermes-webhook": {
         "description": "Webhook toolset - receive and process external webhook events",
-        "tools": _HERMES_CORE_TOOLS,
+        "tools": _HERMES_WEBHOOK_SAFE_TOOLS,
         "includes": []
     },