ocas-taste
Generates personalized recommendations based on real consumption signals from emails and calendars, respecting dietary restrictions.
Install this skill
or
0/100
Security score
The ocas-taste skill was audited on Jun 13, 2026 and we found 13 security issues across 2 threat categories, including 9 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
high line 83
Access to root home directory
SourceSKILL.md
| 83 | - Full pipeline (Styx delta + enrichment): `/root/.hermes/commons/data/ocas-taste/venv/bin/python3 /root/.hermes/skills/ocas-taste/scripts/taste_full_enrich.py --limit 200` |
high line 84
Access to root home directory
SourceSKILL.md
| 84 | - Email-only historical scan: `/root/.hermes/commons/data/ocas-taste/venv/bin/python3 /root/.hermes/skills/ocas-taste/scripts/taste_scan.py scan-historical 365` |
high line 85
Access to root home directory
SourceSKILL.md
| 85 | - Status check: `wc -l /root/.hermes/commons/data/ocas-taste/signals.jsonl /root/.hermes/commons/data/ocas-taste/items.jsonl` (the `taste_scan.py status` command may report 0 due to path resolution is |
medium line 236
Access to root home directory
SourceSKILL.md
| 236 | /root/.hermes/commons/data/ocas-taste/venv/bin/python3 /root/.hermes/skills/ocas-taste/scripts/taste_scan.py scan-incremental 24 |
high line 262
Access to root home directory
SourceSKILL.md
| 262 | - **`taste_scan.py status` and `data-quality` report 0 when run outside the venv** — Both commands use the `TasteSkill` class which resolves `data_dir` differently than the actual data location. Alway |
high line 264
Access to root home directory
SourceSKILL.md
| 264 | - **`Path.home()` resolves to indigo profile home, not `/root`** — When running under the `indigo` Hermes profile, `Path.home()` returns `/root/.hermes/profiles/indigo/home` instead of `/root`. This c |
high line 265
Access to root home directory
SourceSKILL.md
| 265 | - **`email_scan.py` and `run_historical_scans.py` have the same `google_auth_mcp` path issue** — Both scripts use `AGENT_ROOT / 'scripts'` which resolves to the indigo profile home. **Fix:** Hardcode |
high line 266
Access to root home directory
SourceSKILL.md
| 266 | - **`taste_scan.py` token path is relative, must be absolute** — The script looks for token files at `Path("[Google OAuth credentials][email protected]")` which resolves relative to CWD a |
medium line 268
Access to root home directory
SourceSKILL.md
| 268 | sed -i 's|Path("\[Google OAuth credentials\][email protected]")|Path("/root/.google_workspace_mcp/credentials/[email protected]")|' taste_scan.py |
medium line 269
Access to root home directory
SourceSKILL.md
| 269 | sed -i 's|Path("\[Google OAuth credentials\][email protected]")|Path("/root/.google_workspace_mcp/credentials/[email protected]")|' taste_scan.py |
high line 277
Access to root home directory
SourceSKILL.md
| 277 | - **Styx enrichment is now universal** — The `styx:enrich-new-transactions` and `taste:daily-styx-enrichment` cron jobs now use the universal enrichment script (`/root/.hermes/commons/data/ocas-styx/s |
high line 287
Access to root home directory
SourceSKILL.md
| 287 | - **Re-auth script only handles Indigo's account** — `google_oauth_init.py` (in `infrastructure/google-workspace-auth`) hardcodes `do_email('[email protected]')` on line 141. It will NOT re-a |
low line 273
External URL reference
SourceSKILL.md
| 273 | sed -i "s|'https://www.googleapis.com/auth/gmail.readonly', 'https://www.googleapis.com/auth/gmail.modify', 'https://www.googleapis.com/auth/calendar'|'https://www.googleapis.com/auth/gmail.readonly', |
Scanned on Jun 13, 2026
View Security DashboardRating
5.01
Rate this skill
Categorymarketing
UpdatedJune 13, 2026
hermesfrontendremotiondocxgitapidatabasetestingbackendcontent-marketergrowth-marketerinfluencer-marketermarketing-analystproduct-marketermarketing
indigokarasu/taste