ocas-mentor
Mentor orchestrates and evaluates multi-skill workflows, proposing improvements based on performance analysis and project management.
Install this skill
or
0/100
Security score
The ocas-mentor skill was audited on Jun 13, 2026 and we found 11 security issues across 2 threat categories, including 5 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
high line 195
Template literal with variable interpolation in command context
SourceSKILL.md
| 195 | **Heredoc journal file naming:** `cat > "$JOURNAL_DIR/${RUN_ID}.json" << 'EOF'` may create a file literally named `.json`. Compose the filename in a separate variable first, then reference without bra |
high line 279
Template literal with variable interpolation in command context
SourceSKILL.md
| 279 | - **Backup journal double-prefix** — If RUN_ID already contains `mentor-light-`, filename is `"$RUN_ID.json"` not `"mentor-light-${RUN_ID}.json"`. See gotcha #43. |
high line 135
Python subprocess execution
SourceSKILL.md
| 135 | **Sandbox file discovery failure:** In the cron sandbox, Python's `subprocess.run(["find", ...])` and `os.walk()` silently return 0 results even when the filesystem is fully accessible via shell tools |
high line 88
Access to root home directory
SourceSKILL.md
| 88 | Mentor reads journals from all skills at: `{agent_root}/commons/journals/` (recursive scan). **NOTE:** The deep heartbeat script (`cron-heartbeat-deep.py`) currently only scans `/root/.hermes/commons/ |
medium line 155
Access to root home directory
SourceSKILL.md
| 155 | EVIDENCE_BEFORE=$(wc -l < /root/.hermes/commons/data/mentor/evidence.jsonl) |
medium line 156
Access to root home directory
SourceSKILL.md
| 156 | INGESTION_BEFORE=$(wc -l < /root/.hermes/commons/data/mentor/ingestion_log.jsonl) |
medium line 157
Access to root home directory
SourceSKILL.md
| 157 | JOURNAL_DIR="/root/.hermes/profiles/indigo/commons/journals/ocas-mentor/$(date +%Y-%m-%d)" |
medium line 163
Access to root home directory
SourceSKILL.md
| 163 | EVIDENCE_AFTER=$(wc -l < /root/.hermes/commons/data/mentor/evidence.jsonl) |
medium line 164
Access to root home directory
SourceSKILL.md
| 164 | INGESTION_AFTER=$(wc -l < /root/.hermes/commons/data/mentor/ingestion_log.jsonl) |
medium line 169
Access to root home directory
SourceSKILL.md
| 169 | printf '%s\\n' '{...evidence json...}' >> /root/.hermes/commons/data/mentor/evidence.jsonl |
high line 268
Access to root home directory
SourceSKILL.md
| 268 | - **`JOURNALS_DIR` path must match `find` output** — Must be `/root/.hermes/commons/journals`, NOT the profile-scoped path. |
Scanned on Jun 13, 2026
View Security DashboardRating
5.01
Rate this skill
Categoryproject management
UpdatedJune 13, 2026
hermesfrontendgittestingbackendproject-manageroperations-managergrowth-pmbusiness-process-analystdata-analystgithubproject managementoperationsproductdata analytics
indigokarasu/mentor