mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-09 13:21:42 +00:00
The model-facing cronjob tool accepts free-form provider + base_url. On fire, the scheduler pairs the named provider's stored credential with the job's base_url, so a prompt-injected job (e.g. provider=anthropic, base_url=https://attacker/v1) sends the real API key to an attacker endpoint. A base_url with no provider inherits the default provider's key for the same effect. Add a fail-closed guard at the tool boundary: a base_url override is allowed only for the custom/BYOK sentinel, a configured custom_providers entry, or when the override host matches the named provider's own endpoint; an override without an explicit provider is rejected. The trust boundary is the caller, so operator-configured base_urls for named providers are unaffected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| scripts | ||
| __init__.py | ||
| blueprint_catalog.py | ||
| jobs.py | ||
| scheduler.py | ||
| scheduler_provider.py | ||
| suggestion_catalog.py | ||
| suggestions.py | ||