The Problem
When building open-source AI agent skills, it's easy to accidentally expose sensitive information in documentation—API keys, personal model IDs, user emails, or custom configuration details. Once published to a repository, this data becomes a security liability for anyone using your skills.
The Hermes AI agent community just took a major step toward fixing this with a significant security push across seven popular skills.
What Changed
A recent commit to the hermes-skills repository removed all personal and sensitive data from published skill documentation. Skills affected include:
- marketing/waitlister — removed example waitlist keys and personal URLs
- media/photogpt — stripped personal model IDs
- media/voxtral-tts — cleaned up voice clone references
- media/youtube-content — removed example channel data
- productivity/mural — eliminated workspace identifiers
- seo/neuronwriter — removed project-specific credentials
- wordpress/wpbakery — scrubbed site-specific URLs
Why This Matters
Each skill's documentation now uses placeholder variables (like $YOUR_API_KEY, YOUR_WAITLIST_KEY) instead of real values. This pattern:
✅ Prevents accidental credential leaks
✅ Makes it clearer where users need to insert their own data
✅ Reduces social engineering attack surface
✅ Follows security best practices for open-source projects
How It Works with Hermes
When you use a skill with the Hermes AI agent, it reads credentials from your local environment (typically ~/.hermes/.env). The documentation now explicitly guides you to store sensitive data there:
# In ~/.hermes/.env
WAITLISTER_API_KEY=your_actual_key_here
PHOTOGPT_API_KEY=your_actual_key_here
MURAL_ACCESS_TOKEN=your_actual_token_here
Then skills reference these variables without exposing them in git history or public documentation.
What You Should Do
If you're using any of these skills:
-
Pull the latest changes —
git pullto get the security update -
Review your
.envfile — ensure all credentials are stored locally, not in code - Check your git history — if you've forked the repo, verify no secrets were committed
- Update your skill configs — replace any hardcoded values with environment variable references
Contributing Secure Skills
If you're building new skills for Hermes, this commit sets the standard:
- Use environment variables for all credentials
- Document how to find/generate API keys, but never include examples of real keys
- Use placeholder names that make it obvious what needs replacing
- Store sensitive docs in private wikis, not public repositories
This is a great reminder that security in open-source isn't just about code—documentation matters too.
Get Involved
The Hermes AI agent is built by the community. If you've spotted other sensitive data in skills or want to contribute a new skill securely, check out the repository and help strengthen the ecosystem.
⭐ Star hermes-skills on GitHub to stay updated on security improvements and new skill releases.
Top comments (0)