MCP security

Hermes retests: prompt fence improved, symlink and learning issues remain open

Hermes security rounds covering secret migration, learning provider prompts, subagents, prefetch boundaries and symlinked profile paths.

Fencefixed
Symlinksopen
Learningopen
Statusmixed

Verdict

The 0.4.17 retest is mixed: selected prompt-boundary escapes are fixed, while symlink isolation, migrated secret prefetch and learning-reference cases still need patch confirmation.

Why Hermes is central

Hermes preloads memory into the agent context. That is powerful, but it turns every memory into prompt surface.

The tests check whether a migrated secret, a subagent write, or a plugin installed through a symlinked path can contaminate the primary context.

What improved

The later retest showed the forgeable untrusted-context fence working on the main prompt-boundary cases I checked.

That is a real fix, so I should not present every original Hermes failure as still unchanged.

What remains open

The symlink cross-profile family still needs patch confirmation, including HERMES_HOME and active_profile paths.

The retest also kept migrated secret prefetch and learning-reference promotion cases open, so this is not ready to be framed as fully fixed.

Rerun the test

docker run --rm --network none --cap-drop ALL --security-opt no-new-privileges --pids-limit 192 --memory 768m --cpus 1 --tmpfs /tmp:rw,nosuid,nodev,size=128m --tmpfs /data:rw,nosuid,nodev,size=512m,mode=1777 -v "$PWD:/work" -w /work -e SIBYL_SECURITY_DATA_ROOT=/data sibyl-memory:local python scripts/run_hermes_security_round12_critical_chain_suite.py

Evidence files