← Back to Skills Marketplace
davida-ps

hermes-attestation-guardian

by davida-ps · GitHub ↗ · v0.1.0 · MIT-0
cross-platform ⚠ suspicious
96
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install hermes-attestation-guardian
Description
Hermes-only runtime security attestation and drift detection skill for operator-managed Hermes infrastructure.
README (SKILL.md)

Hermes Attestation Guardian

IMPORTANT SCOPE:

  • This skill targets Hermes infrastructure only (CLI/Gateway/profile-managed deployments).
  • This skill is not an OpenClaw runtime hook package.

Goal

Generate deterministic Hermes posture attestations, verify them with fail-closed integrity checks, and compare baseline drift using stable severity mapping.

Mandatory release verification gate (before install)

Before treating any release install instructions as valid, verify all three inputs:

  1. checksums.json
  2. checksums.sig
  3. pinned signing public-key fingerprint
BASE="https://github.com/prompt-security/clawsec/releases/download/hermes-attestation-guardian-v0.1.0"
TMP="$(mktemp -d)"
trap 'rm -rf "$TMP"' EXIT

curl -fsSL "$BASE/checksums.json" -o "$TMP/checksums.json"
curl -fsSL "$BASE/checksums.sig" -o "$TMP/checksums.sig"
curl -fsSL "$BASE/signing-public.pem" -o "$TMP/signing-public.pem"

[ -s "$TMP/checksums.json" ] || { echo "ERROR: missing checksums.json" >&2; exit 1; }
[ -s "$TMP/checksums.sig" ] || { echo "ERROR: missing checksums.sig" >&2; exit 1; }

EXPECTED_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8"
ACTUAL_PUBKEY_SHA256="$(openssl pkey -pubin -in "$TMP/signing-public.pem" -outform DER | sha256sum | awk '{print $1}')"
[ "$ACTUAL_PUBKEY_SHA256" = "$EXPECTED_PUBKEY_SHA256" ] || {
  echo "ERROR: signing-public.pem fingerprint mismatch" >&2
  exit 1
}

openssl base64 -d -A -in "$TMP/checksums.sig" -out "$TMP/checksums.sig.bin"
openssl pkeyutl -verify -rawin -pubin -inkey "$TMP/signing-public.pem" \
  -sigfile "$TMP/checksums.sig.bin" -in "$TMP/checksums.json" >/dev/null

Hermes guard trust policy note

When installing from community sources, configure Hermes guard to use signature-aware trust (trusted signer fingerprint allowlist) rather than source-name-only trust. Unknown signer fingerprints should stay on community policy, and invalid signatures must remain blocked.

Commands

# Generate attestation (default output: ~/.hermes/security/attestations/current.json)
node scripts/generate_attestation.mjs

# Generate with explicit policy + deterministic timestamp
node scripts/generate_attestation.mjs \
  --policy ~/.hermes/security/attestation-policy.json \
  --generated-at 2026-04-15T18:00:00.000Z \
  --write-sha256

# Verify schema + canonical digest
node scripts/verify_attestation.mjs --input ~/.hermes/security/attestations/current.json

# Verify with baseline diff (baseline must be authenticated)
node scripts/verify_attestation.mjs \
  --input ~/.hermes/security/attestations/current.json \
  --baseline ~/.hermes/security/attestations/baseline.json \
  --baseline-expected-sha256 \x3Ctrusted-baseline-sha256> \
  --fail-on-severity high

# Optional detached signature verification
node scripts/verify_attestation.mjs \
  --input ~/.hermes/security/attestations/current.json \
  --signature ~/.hermes/security/attestations/current.json.sig \
  --public-key ~/.hermes/security/keys/attestation-public.pem

# Refresh advisory feed verification state (fail-closed by default)
node scripts/refresh_advisory_feed.mjs

# Check advisory feed verification + feed summary
node scripts/check_advisories.mjs

# Guarded advisory-aware skill verification gate (returns 42 on advisory match without explicit confirm)
node scripts/guarded_skill_verify.mjs --skill some-skill --version 1.2.3

# Explicit operator acknowledgement path for advisory matches
node scripts/guarded_skill_verify.mjs --skill some-skill --version 1.2.3 --confirm-advisory

# Optional temporary unsigned bypass (dangerous; emergency-only)
HERMES_ADVISORY_ALLOW_UNSIGNED_FEED=1 node scripts/refresh_advisory_feed.mjs --allow-unsigned

# Preview scheduler config without mutating user schedule state
node scripts/setup_attestation_cron.mjs --every 6h --print-only

# Apply managed scheduler block
node scripts/setup_attestation_cron.mjs --every 6h --apply

# Preview advisory check scheduler config (guarded flow, print-only default)
node scripts/setup_advisory_check_cron.mjs --every 6h --skill some-skill --print-only

# Apply advisory check scheduler block (uses guarded_skill_verify flow)
node scripts/setup_advisory_check_cron.mjs --every 6h --skill some-skill --version 1.2.3 --apply

# Emergency-only: unsigned bypass for scheduled advisory checks (do not keep enabled)
node scripts/setup_advisory_check_cron.mjs --every 6h --skill some-skill --allow-unsigned --apply

WARNING: --allow-unsigned in scheduled commands is incident-response only. Remove it immediately after recovery and restore signed advisory verification.

Attestation payload (implemented)

The generator emits:

  • schema_version, platform, generated_at
  • generator metadata (skill + node version)
  • host metadata (hostname/platform/arch)
  • posture.runtime (gateway enabled flags + risky toggles)
  • posture.feed_verification status (verified|unverified|unknown) sourced from $HERMES_HOME/security/advisories/feed-verification-state.json
  • posture.integrity watched_files and trust_anchors (existence + sha256)
  • digests.canonical_sha256 over a stable canonical JSON representation

Fail-closed behavior

Verifier exits non-zero when:

  • schema validation fails
  • canonical digest algorithm is unsupported or digest binding mismatches
  • expected file sha256 mismatches (if configured)
  • detached signature verification fails (if configured)
  • baseline is provided without authenticated trust binding (--baseline-expected-sha256 and/or baseline signature + public key)
  • baseline authenticity or baseline schema/digest validation fails
  • baseline diff highest severity is at/above --fail-on-severity (default: critical)

Severity messages are emitted as INFO / WARNING / CRITICAL style lines.

Side effects

  • generate_attestation.mjs writes one JSON file (and optional .sha256) under $HERMES_HOME/security/attestations.
  • verify_attestation.mjs is read-only.
  • refresh_advisory_feed.mjs writes verified feed cache + verification state under $HERMES_HOME/security/advisories.
  • check_advisories.mjs is read-only.
  • guarded_skill_verify.mjs re-runs feed refresh/verification (same advisory cache + state side effects) and then performs advisory-aware gate checks.
  • setup_attestation_cron.mjs is read-only unless --apply is provided.
  • setup_attestation_cron.mjs --apply rewrites only the current user managed schedule block delimited by:
    • # >>> hermes-attestation-guardian >>>
    • # \x3C\x3C\x3C hermes-attestation-guardian \x3C\x3C\x3C
  • setup_advisory_check_cron.mjs is read-only unless --apply is provided.
  • setup_advisory_check_cron.mjs --apply rewrites only the current user advisory-check managed schedule block delimited by:
    • # >>> hermes-attestation-guardian-advisory-check >>>
    • # \x3C\x3C\x3C hermes-attestation-guardian-advisory-check \x3C\x3C\x3C
    • generated command path uses guarded_skill_verify.mjs (advisory-aware gate), not raw check_advisories.mjs

Advisory feed override knobs

  • Source selection: HERMES_ADVISORY_FEED_SOURCE=auto|remote|local
  • Remote artifacts: HERMES_ADVISORY_FEED_URL, HERMES_ADVISORY_FEED_SIG_URL, HERMES_ADVISORY_FEED_CHECKSUMS_URL, HERMES_ADVISORY_FEED_CHECKSUMS_SIG_URL
  • Local artifacts: HERMES_LOCAL_ADVISORY_FEED, HERMES_LOCAL_ADVISORY_FEED_SIG, HERMES_LOCAL_ADVISORY_FEED_CHECKSUMS, HERMES_LOCAL_ADVISORY_FEED_CHECKSUMS_SIG
  • Pinned key override: HERMES_ADVISORY_FEED_PUBLIC_KEY (default is built-in pinned key)
  • Optional checksum toggle: HERMES_ADVISORY_VERIFY_CHECKSUM_MANIFEST (default: enabled)
  • UNSAFE emergency bypass only: HERMES_ADVISORY_ALLOW_UNSIGNED_FEED=1

Notes

  • Hermes scan + test context is .mjs-based by design:
    • runtime scripts: scripts/*.mjs
    • shared libraries: lib/*.mjs
    • regression tests: test/*.test.mjs
  • Keep .mjs paths/extensions stable so scanner scope, SBOM wiring, and test harness references stay valid.
  • Default output root is ~/.hermes/security/attestations/.
  • No destructive remediation actions (delete/restore/quarantine) are implemented.
  • Advisory feed remote URL allowlisting is not implemented in v0.0.2; operators must explicitly trust configured feed/checksum endpoints.
  • Guarded advisory version matching currently uses a lightweight comparator parser (>=, \x3C=, >, \x3C, =, ^, ~, wildcard *) and does not implement full npm semver range grammar (for example, OR ranges and complex comparator sets).
  • Operator policy file is optional JSON with:
    • watch_files: list of file paths
    • trust_anchor_files: list of file paths
Usage Guidance
This package appears to implement the Hermes attestation and advisory-check functionality it claims, but take these precautions before installing or running it: - Ensure you have Node installed; SKILL.md and the scripts require node even though the registry metadata omitted it. - Verify the release artifacts exactly as the SKILL.md shows (checksums.json, checksums.sig, and the pinned signing public-key fingerprint). Do not skip the OpenSSL verification step. - Review and set HERMES_HOME explicitly (the tool confines writes to HERMES_HOME). Inspect existing files under that directory; the tool will read/write under $HERMES_HOME/security and can create state and cached feed files. - Audit the hard-coded feed URL and pinned feed public key (DEFAULT_REMOTE_FEED_URL and PINNED_FEED_PUBLIC_KEY_PEM) to ensure they match your operator trust policy and the release verification fingerprint. - Be cautious when using any --apply or --allow-unsigned flags: --apply will modify your crontab/scheduler (the scripts call schedule-bin operations) and --allow-unsigned is explicitly emergency-only and bypasses signature checks. - Because the registry metadata did not declare env vars the code uses, plan to run the scripts in a controlled sandbox (container or VM) first and run the provided tests (or inspect test scripts) to confirm behavior in your environment. If you want higher confidence, ask the maintainer for: corrected registry metadata listing 'node' and the env vars the skill reads, a signed release tarball whose checksums match the published manifest, and documentation of the default scheduleBin used for crontab operations.
Capability Analysis
Type: OpenClaw Skill Name: hermes-attestation-guardian Version: 0.1.0 The hermes-attestation-guardian skill is a security utility designed for runtime posture attestation and advisory monitoring within Hermes infrastructure. It performs high-risk operations including modifying user crontabs for persistence (lib/cron.mjs), making network requests to fetch advisory feeds (lib/feed.mjs), and reading system configuration files (lib/attestation.mjs). However, these actions are strictly aligned with its stated purpose and are implemented with robust security controls, such as Ed25519 signature verification for remote feeds, strict path-scoping to prevent directory traversal outside of $HERMES_HOME, and proper shell-argument escaping to mitigate injection. The code is modular, well-tested, and lacks any indicators of malicious intent or data exfiltration.
Capability Tags
cryptorequires-walletrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
The code and SKILL.md implement Hermes-focused attestation, signature verification, advisory feed checks, baseline diffing, and optional cron scheduling — all coherent with the declared purpose. However the package metadata (registry requirements) omitted the 'node' runtime that SKILL.md and the included .mjs scripts require; that's an inconsistency in declared requirements.
Instruction Scope
Runtime instructions are narrowly scoped to Hermes assets: they read/write files under HERMES_HOME, verify signed artifacts, refresh/verify a remote advisory feed, and manage optional scheduled jobs. The instructions do not ask for unrelated credential stores or arbitrary system data. They do include an explicit pre-install release verification step (downloads from GitHub releases + OpenSSL checks) which is appropriate for the purpose.
Install Mechanism
There is no automatic install spec (no remote downloads executed automatically). The skill is instruction-only regarding install, and the code files are bundled in the skill. This minimizes surprise remote install behavior. The SKILL.md recommends manual verification of release artifacts before install (good).
Credentials
Registry metadata lists no required environment variables, but the code and SKILL.md rely on many environment variables (HERMES_HOME, HERMES_ADVISORY_ALLOW_UNSIGNED_FEED, HERMES_ADVISORY_FEED_STATE_PATH, gateway toggles like HERMES_GATEWAY_TELEGRAM_ENABLED, and others). That mismatch means the skill may behave differently or require operator configuration not documented in the registry entry. The skill also reads and can write files under the user's HERMES_HOME and advisory state; these are reasonable for the stated purpose but represent sensitive local state that the operator should review.
Persistence & Privilege
The skill does not request 'always: true' and allows model invocation (default). It exposes scripts to add managed cron blocks (apply mode) which will mutate the user's crontab/scheduler if used; this is expected for recurring checks but is a privilege that alters system state. The code takes precautions (print-only default, explicit --apply) and confines written paths to HERMES_HOME and rejects symlinks, which is good practice.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install hermes-attestation-guardian
  3. After installation, invoke the skill by name or use /hermes-attestation-guardian
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Release 0.1.0 via CI
v0.0.1
Release 0.0.1 via CI
Metadata
Slug hermes-attestation-guardian
Version 0.1.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is hermes-attestation-guardian?

Hermes-only runtime security attestation and drift detection skill for operator-managed Hermes infrastructure. It is an AI Agent Skill for Claude Code / OpenClaw, with 96 downloads so far.

How do I install hermes-attestation-guardian?

Run "/install hermes-attestation-guardian" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is hermes-attestation-guardian free?

Yes, hermes-attestation-guardian is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does hermes-attestation-guardian support?

hermes-attestation-guardian is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created hermes-attestation-guardian?

It is built and maintained by davida-ps (@davida-ps); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments