ocas-custodian
Automates monitoring and maintenance of agent platforms, fixing operational failures and optimizing system health during quiet hours.
Install this skill
or
0/100
Security score
The ocas-custodian skill was audited on Jun 13, 2026 and we found 9 security issues across 1 threat category, including 6 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
medium line 181
Access to hidden dotfiles in home directory
SourceSKILL.md
| 181 | **Note:** Custodian v2.0.0+ runs as a Hermes plugin (not just a skill). The plugin is installed at `~/.hermes/plugins/custodian/`. The skill (this file) is retained for backward compatibility and refe |
medium line 214
Access to hidden dotfiles in home directory
SourceSKILL.md
| 214 | - **`hermes cron edit` requires relative script paths** — The `--script` flag accepts only paths relative to `~/.hermes/scripts/`, not absolute paths. If the script only exists under the profile direc |
medium line 217
Access to hidden dotfiles in home directory
SourceSKILL.md
| 217 | - **Editable install path may differ from plugin directory** — When Hermes uses `pip install -e`, the active plugin code is at the path in the editable finder's `MAPPING` dict, NOT at `~/.hermes/plugi |
high line 120
Access to root home directory
SourceSKILL.md
| 120 | See `references/script-path-security-block-pattern.md` for the `oc_cron_script_path_security_block` fingerprint — a distinct sub-pattern from `oc_cron_dead_script_ref` where the script exists but the |
high line 198
Access to root home directory
SourceSKILL.md
| 198 | - **`Path.home() / ".hermes"` breaks in cron** — Never use this pattern in scripts that run in cron/scheduled contexts. Hardcode `/root/.hermes`. |
high line 199
Access to root home directory
SourceSKILL.md
| 199 | - **Script paths must match HERMES_HOME** — Cron job `script` fields must point to scripts under `$HERMES_HOME/scripts/`. When `HERMES_HOME=/root/.hermes/profiles/indigo` (set by systemd), use `/root/ |
high line 214
Access to root home directory
SourceSKILL.md
| 214 | - **`hermes cron edit` requires relative script paths** — The `--script` flag accepts only paths relative to `~/.hermes/scripts/`, not absolute paths. If the script only exists under the profile direc |
high line 218
Access to root home directory
SourceSKILL.md
| 218 | - **Elephas pipeline bridge dependency** — The `elephas_cron_pipeline.py` script connects to LadybugDB via `ladybug_client` on port 9192 (chronicle). It does NOT manage bridge lifecycle and does NOT c |
high line 219
Access to root home directory
SourceSKILL.md
| 219 | - **jobs.json path under profiles** — When running under a profile, the authoritative jobs.json is at `/root/.hermes/profiles/<profile>/cron/jobs.json`, NOT `/root/.hermes/cron/jobs.json`. Both exist; |
Scanned on Jun 13, 2026
View Security DashboardRating
5.01
Rate this skill
Categoryoperations
UpdatedJune 13, 2026
hermesfrontenddesignpowerpointdocxgitapitestingbackendit-operationsdevops-sreoperations-managergithuboperationsdevelopment
indigokarasu/custodian