mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: review fixes — path traversal guard, trust_style consistency, edge cases

Browse source 
Address code review findings:

Security (Medium):
- Path traversal guard in OptionalSkillSource.fetch() — resolve() and
  validate that the path stays within optional-skills/ before reading

Bug fixes (Medium):
- Add 'builtin' to trust_style dicts in do_inspect() and
  _resolve_short_name() — official skills now show bright_cyan 'official'
  label consistently across all display functions (5/5 dicts fixed)

Edge cases (Low):
- Clamp page_size to [1, 100] in do_browse() to prevent ZeroDivisionError
- Update SkillMeta.source docstring to include 'official'
- Add browse command to optional-skills/DESCRIPTION.md
This commit is contained in:
teknium1 2026-03-06 01:40:01 -08:00
parent ec0fe3242a
commit f6f3d1de9b
3 changed files with 25 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

13
hermes_cli/skills_hub.py
View file

@ -57,8 +57,9 @@ def _resolve_short_name(name: str, sources, console: Console) -> str:
table.add_column("Trust", style="dim") table.add_column("Trust", style="dim")
table.add_column("Identifier", style="bold cyan") table.add_column("Identifier", style="bold cyan")
for r in exact: for r in exact:
trust_style = {"trusted": "green", "community": "yellow"}.get(r.trust_level, "dim") trust_style = {"builtin": "bright_cyan", "trusted": "green", "community": "yellow"}.get(r.trust_level, "dim")
table.add_row(r.source, f"[{trust_style}]{r.trust_level}[/]", r.identifier) trust_label = "official" if r.source == "official" else r.trust_level
table.add_row(r.source, f"[{trust_style}]{trust_label}[/]", r.identifier)
c.print(table) c.print(table)
c.print("[bold]Use the full identifier to install a specific one.[/]\n") c.print("[bold]Use the full identifier to install a specific one.[/]\n")
return "" return ""
@ -124,6 +125,9 @@ def do_browse(page: int = 1, page_size: int = 20, source: str = "all",
GitHubAuth, create_source_router, OptionalSkillSource, SkillMeta, GitHubAuth, create_source_router, OptionalSkillSource, SkillMeta,
) )
# Clamp page_size to safe range
page_size = max(1, min(page_size, 100))
c = console or _console c = console or _console
auth = GitHubAuth() auth = GitHubAuth()
@ -375,13 +379,14 @@ def do_inspect(identifier: str, console: Optional[Console] = None) -> None:
break break
c.print() c.print()
trust_style = {"trusted": "green", "community": "yellow"}.get(meta.trust_level, "dim") trust_style = {"builtin": "bright_cyan", "trusted": "green", "community": "yellow"}.get(meta.trust_level, "dim")
trust_label = "official" if meta.source == "official" else meta.trust_level
info_lines = [ info_lines = [
f"[bold]Name:[/] {meta.name}", f"[bold]Name:[/] {meta.name}",
f"[bold]Description:[/] {meta.description}", f"[bold]Description:[/] {meta.description}",
f"[bold]Source:[/] {meta.source}", f"[bold]Source:[/] {meta.source}",
f"[bold]Trust:[/] [{trust_style}]{meta.trust_level}[/]", f"[bold]Trust:[/] [{trust_style}]{trust_label}[/]",
f"[bold]Identifier:[/] {meta.identifier}", f"[bold]Identifier:[/] {meta.identifier}",
] ]
if meta.tags: if meta.tags:

6
optional-skills/DESCRIPTION.md
View file

@ -6,8 +6,10 @@ These skills ship with the hermes-agent repository but are not copied to
`~/.hermes/skills/` during setup. They are discoverable via the Skills Hub: `~/.hermes/skills/` during setup. They are discoverable via the Skills Hub:
```bash ```bash
hermes skills search <query> # finds optional skills labeled "official" hermes skills browse # browse all skills, official shown first
hermes skills install <identifier> # copies to ~/.hermes/skills/ and activates hermes skills browse --source official # browse only official optional skills
hermes skills search <query> # finds optional skills labeled "official"
hermes skills install <identifier> # copies to ~/.hermes/skills/ and activates
``` ```
## Why optional? ## Why optional?

14
tools/skills_hub.py
View file

@ -63,7 +63,7 @@ class SkillMeta:
"""Minimal metadata returned by search results.""" """Minimal metadata returned by search results."""
name: str name: str
description: str description: str
source: str # "github", "clawhub", "claude-marketplace", "lobehub" source: str # "official", "github", "clawhub", "claude-marketplace", "lobehub"
identifier: str # source-specific ID (e.g. "openai/skills/skill-creator") identifier: str # source-specific ID (e.g. "openai/skills/skill-creator")
trust_level: str # "builtin" | "trusted" | "community" trust_level: str # "builtin" | "trusted" | "community"
repo: Optional[str] = None repo: Optional[str] = None
@ -987,12 +987,22 @@ class OptionalSkillSource(SkillSource):
rel = identifier.split("/", 1)[-1] if identifier.startswith("official/") else identifier rel = identifier.split("/", 1)[-1] if identifier.startswith("official/") else identifier
skill_dir = self._optional_dir / rel skill_dir = self._optional_dir / rel
if not skill_dir.is_dir(): # Guard against path traversal (e.g. "official/../../etc")
try:
resolved = skill_dir.resolve()
if not str(resolved).startswith(str(self._optional_dir.resolve())):
return None
except (OSError, ValueError):
return None
if not resolved.is_dir():
# Try searching by skill name only (last segment) # Try searching by skill name only (last segment)
skill_name = rel.rsplit("/", 1)[-1] skill_name = rel.rsplit("/", 1)[-1]
skill_dir = self._find_skill_dir(skill_name) skill_dir = self._find_skill_dir(skill_name)
if not skill_dir: if not skill_dir:
return None return None
else:
skill_dir = resolved
files: Dict[str, str] = {} files: Dict[str, str] = {}
for f in skill_dir.rglob("*"): for f in skill_dir.rglob("*"):