Hermes Skills System
Summary
The Hermes Skills system is the modular framework for discovering, installing, managing, and distributing agent capabilities. It provides both CLI (hermes skills) and in-chat (/skills) interfaces, supports multiple registries (official, community, self-hosted), and enforces a multi-tiered security/trust model with automated scanning.
Details
Profile Lifecycle
Skills are grouped into “profiles” managed via hermes skills:
- Create:
hermes skills create <name>(supports--cloneand--no-alias) - Select:
hermes skills use <name>sets a sticky default across sessions - Inspect:
listfor overview,show <name>for details - Portability:
export/importpackage profiles as.tar.gzarchives;snapshot export setup.jsonreplicates environments across instances - Aliasing:
hermes skills alias <name>creates wrapper scripts for standalone invocation
Registries and Sources
The Hub aggregates skills from several source types:
| Source | Description |
|---|---|
| Official | Optional skills in the Hermes repo — implicit trust |
| skills.sh | Vercel’s public directory — community skills, searchable |
| Well-known | Decentralized: /.well-known/skills/index.json on arbitrary domains |
| GitHub/Taps | Direct install from repos (e.g., openai/skills/k8s) or custom taps |
| Marketplaces | ClawHub, LobeHub (converts agent entries), Claude-style marketplaces |
Command Interface
hermes skills browse/search <term>: Discover new capabilitieshermes skills inspect <slug>: Pre-install detailshermes skills install <slug>: Fetch and configurehermes skills check/update: Identify and apply upstream updates
Security and Trust Model
Every skill undergoes automated scanning for data exfiltration, prompt injection, destructive commands, and supply-chain threats. Four trust levels:
| Level | Source | Policy |
|---|---|---|
builtin | Core Hermes code | Always trusted |
official | optional-skills/ in repo | Implicit trust, no warnings |
trusted | Verified partners (OpenAI, Anthropic) | Permissive execution |
community | skills.sh, GitHub, well-known | Requires --force for non-dangerous policy blocks |
The --force flag only bypasses “warning” level blocks. A dangerous verdict prevents installation entirely — no override available.