From f06508836dd4e5c56ffc14912725c12c6d941291 Mon Sep 17 00:00:00 2001
From: kshitijk4poor <82637225+kshitijk4poor@users.noreply.github.com>
Date: Sat, 20 Jun 2026 00:30:42 +0530
Subject: [PATCH] =?UTF-8?q?docs(security):=20enumerate=20cron=20job=20scri?=
 =?UTF-8?q?pts=20in=20=C2=A72.3=20credential=20scoping?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The cron-script subprocess is now sanitized alongside shell/MCP/
code-exec children; §2.3 listed only the original three. Makes the
_run_job_script docstring's §2.3 citation fully accurate.

Follow-up to salvaged PR #49207.
---
 SECURITY.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index c58e348b579..2579c6eaec5 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -121,10 +121,11 @@ outside the supported security posture.
 ### 2.3 Credential Scoping
 
 Hermes Agent filters the environment it passes to its lower-trust
-in-process components: shell subprocesses, MCP subprocesses, and
-the code-execution child. Credentials like provider API keys and
-gateway tokens are stripped by default; variables explicitly
-declared by the operator or by a loaded skill are passed through.
+in-process components: shell subprocesses, MCP subprocesses,
+cron job scripts, and the code-execution child. Credentials like
+provider API keys and gateway tokens are stripped by default;
+variables explicitly declared by the operator or by a loaded
+skill are passed through.
 
 This reduces casual exfiltration. It is not containment. Any
 component running inside the agent process (skills, plugins, hook