DEV Community

Robin Beraud-Sudreau
Robin Beraud-Sudreau

Posted on

Hermes AI Skills Just Got More Secure: Personal Data Removed from Published Skills

The Problem

When building open-source AI agent skills, it's easy to accidentally expose sensitive information in documentation—API keys, personal model IDs, user emails, or custom configuration details. Once published to a repository, this data becomes a security liability for anyone using your skills.

The Hermes AI agent community just took a major step toward fixing this with a significant security push across seven popular skills.

What Changed

A recent commit to the hermes-skills repository removed all personal and sensitive data from published skill documentation. Skills affected include:

  • marketing/waitlister — removed example waitlist keys and personal URLs
  • media/photogpt — stripped personal model IDs
  • media/voxtral-tts — cleaned up voice clone references
  • media/youtube-content — removed example channel data
  • productivity/mural — eliminated workspace identifiers
  • seo/neuronwriter — removed project-specific credentials
  • wordpress/wpbakery — scrubbed site-specific URLs

Why This Matters

Each skill's documentation now uses placeholder variables (like $YOUR_API_KEY, YOUR_WAITLIST_KEY) instead of real values. This pattern:

✅ Prevents accidental credential leaks

✅ Makes it clearer where users need to insert their own data

✅ Reduces social engineering attack surface

✅ Follows security best practices for open-source projects

How It Works with Hermes

When you use a skill with the Hermes AI agent, it reads credentials from your local environment (typically ~/.hermes/.env). The documentation now explicitly guides you to store sensitive data there:

# In ~/.hermes/.env
WAITLISTER_API_KEY=your_actual_key_here
PHOTOGPT_API_KEY=your_actual_key_here
MURAL_ACCESS_TOKEN=your_actual_token_here
Enter fullscreen mode Exit fullscreen mode

Then skills reference these variables without exposing them in git history or public documentation.

What You Should Do

If you're using any of these skills:

  1. Pull the latest changesgit pull to get the security update
  2. Review your .env file — ensure all credentials are stored locally, not in code
  3. Check your git history — if you've forked the repo, verify no secrets were committed
  4. Update your skill configs — replace any hardcoded values with environment variable references

Contributing Secure Skills

If you're building new skills for Hermes, this commit sets the standard:

  • Use environment variables for all credentials
  • Document how to find/generate API keys, but never include examples of real keys
  • Use placeholder names that make it obvious what needs replacing
  • Store sensitive docs in private wikis, not public repositories

This is a great reminder that security in open-source isn't just about code—documentation matters too.

Get Involved

The Hermes AI agent is built by the community. If you've spotted other sensitive data in skills or want to contribute a new skill securely, check out the repository and help strengthen the ecosystem.

⭐ Star hermes-skills on GitHub to stay updated on security improvements and new skill releases.

Top comments (0)