watchers
Automates polling of RSS feeds, JSON APIs, and GitHub for new items, utilizing watermark deduplication for efficient monitoring.
Install this skill
or
67/100
Security score
The watchers skill was audited on Jun 11, 2026 and we found 7 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
high line 65
Template literal with variable interpolation in command context
SourceSKILL.md
| 65 | Watch a GitHub repo (set `GITHUB_TOKEN` in `${HERMES_HOME:-~/.hermes}/.env` to avoid the 60 req/hr anonymous rate limit): |
medium line 36
Webhook reference - potential data exfiltration
SourceSKILL.md
| 36 | The scripts below handle all three. The agent runs them via the terminal tool — from a cron job, a webhook, or an interactive chat — and reports what's new. |
medium line 65
Access to hidden dotfiles in home directory
SourceSKILL.md
| 65 | Watch a GitHub repo (set `GITHUB_TOKEN` in `${HERMES_HOME:-~/.hermes}/.env` to avoid the 60 req/hr anonymous rate limit): |
medium line 65
Access to .env file
SourceSKILL.md
| 65 | Watch a GitHub repo (set `GITHUB_TOKEN` in `${HERMES_HOME:-~/.hermes}/.env` to avoid the 60 req/hr anonymous rate limit): |
low line 62
External URL reference
SourceSKILL.md
| 62 | --name hn --url https://news.ycombinator.com/rss --max 5 |
low line 76
External URL reference
SourceSKILL.md
| 76 | --name api --url https://api.example.com/events \ |
low line 84
External URL reference
SourceSKILL.md
| 84 | > Every 15 minutes, run `watch_rss.py --name hn --url https://news.ycombinator.com/rss`. If it prints anything, summarize the headlines and deliver them. If it prints nothing, stay silent. |
Scanned on Jun 11, 2026
View Security DashboardGitHub Stars 185.0K
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
hermesfrontendreactgitapitestingdevopsbackenddevops-sredata-engineertechnical-supportgithubdevelopmentsupport
NousResearch/hermes-agent