State of Hermes Skill Security — June 2026

When you install a skill into Hermes, you hand it the same surface an OpenClaw skill gets — filesystem, shell, network, and whatever credentials sit in the environment. Hermes doesn't host its own marketplace; it draws from skills.sh, the cross-agent skill directory that also feeds Claude Code, Cursor, and the rest. These are the skills you can install into Hermes today — they are not Hermes-exclusive, which is exactly why the directory's trust posture matters across the whole agent ecosystem.

There's no code signing on this directory, no human review, and no requirement to ship a license. So I scored the 118 most-installed skills in it.

TL;DR

118Skills scored

15%Verified

64%Established

20%Blocked

The sample represents 11,745,734 combined installs. Composite scores range from 4.11 to 8.22 (median 6.36). The single sharpest finding: the most-installed skills ship without a license. Vercel's own agent-skills repo — 1,399,150 installs — is Blocked because it has no LICENSE file. Figma, Clerk, LangChain, Firecrawl, Convex, and Apify are Blocked for the same reason. And like the ClawHub ecosystem before it, zero of the 118 declare any security posture in their skill frontmatter — not one.

Tier Distribution

15%

64%

20%

Verified (7.0+, strong dimensions) Established (5.0+, sufficient signals) Blocked (disqualifier present) New (insufficient signal coverage)

Eighteen skills earned the Verified tier (15%). Seventy-six landed in the Established middle (64%). Twenty-four tripped a hard disqualifier and got Blocked (20%). Not a single skill fell into the New tier — every one of the 118 had enough signal coverage to be scored properly. That 20% Blocked rate is roughly double what I found on ClawHub in April, and the reason is almost entirely one missing file.

The Most-Installed Skills Don't Have a License

This is the headline. The skills with the highest install counts in the directory are disproportionately the ones that ship without a LICENSE file — which hard-blocks them in the trust engine.

Skill	Installs	Tier	Disqualifier
vercel-labs/agent-skills	1,399,150	Blocked	NO_LICENSE
get-convex/agent-skills	362,720	Blocked	NO_LICENSE
apify/agent-skills	59,664	Blocked	NO_LICENSE
firecrawl/cli	55,992	Blocked	NO_LICENSE
figma/mcp-server-guide	23,480	Blocked	NO_LICENSE + NO_SCORECARD
better-auth/skills	20,387	Blocked	NO_LICENSE
clerk/skills	11,990	Blocked	NO_LICENSE + NO_SCORECARD
langchain-ai/langchain-skills	10,077	Blocked	NO_LICENSE

These are not obscure repos. They are the official skill packages from Vercel, Convex, Apify, Firecrawl, Figma, Better Auth, Clerk, and LangChain — companies whose names sit on the credibility signal. The skill engine scores all of them as legit and alive. They get Blocked anyway, on one disqualifier: NO_LICENSE.

Across the sample, every marquee Blocked entry is a NO_LICENSE block. Together the 24 Blocked skills account for 2,170,468 installs — most of that concentrated in vercel-labs/agent-skills alone. (The single most-installed item in the set, agentspace-so/runcomfy-agent-skills at 4,069,943 installs, does ship a license and lands Established — so the issue is specific to these named publishers, not a directory-wide measurement artifact.)

Why NO_LICENSE is a real risk, not a formality

A missing LICENSE file is not a cosmetic gap. Under copyright law, source code published without a license is "all rights reserved" by default. The author retains exclusive copyright. There is no grant of permission to use, copy, modify, or redistribute it — even if the repo is public and the install command is one line.

For a hobby project that's a footnote. For a skill you're wiring into an agent that runs inside a commercial product, it's a real exposure. You are taking a dependency that gives you no legal right to depend on it. If the publisher later objects, changes terms, or is acquired, you have no license to fall back on. Most of these repos almost certainly intend to be open — the omission is an oversight, not a trap — but intent isn't a license. The trust engine can only score what's published, and what's published here is "all rights reserved."

This is also the cheapest disqualifier in the entire algorithm to fix. Adding an MIT or Apache-2.0 file is a one-commit change that moves a repo from Blocked to (usually) Established or Verified in the next scan. Every company in the table above could clear it this afternoon.

What Earned Verified

The picture isn't all gaps. Eighteen skills cleared the Verified bar — composite ≥ 7.0, a solid security dimension, and zero disqualifiers. They prove the bar is reachable, and that a recognizable name plus a license plus basic security hygiene is enough to clear it.

Skill	Score	Tier	Installs
googleworkspace/cli	8.22	Verified	119,922
google-gemini/gemini-cli	8.14	Verified	8,096
larksuite/cli	7.85	Verified	222,113
chromedevtools/chrome-devtools-mcp	7.84	Verified	9,552
heygen-com/hyperframes	7.82	Verified	86,649
fastapi/fastapi	7.77	Verified	3,781
vercel-labs/agent-browser	7.72	Verified	442,219
callstack/agent-device	7.68	Verified	6,279
microsoft/azure-skills	7.56	Verified	384,201
supabase/agent-skills	7.52	Verified	342,660

The Vercel split is the clearest lesson in the dataset. The same publisher appears twice: vercel-labs/agent-browser is Verified at 7.72, and vercel-labs/agent-skills is Blocked at the same publisher quality — purely because one repo has a license and the other doesn't. Same author credibility, same adoption, opposite tier. The disqualifier isn't a judgment about Vercel; it's a judgment about one missing file in one repo. Google (googleworkspace/cli at 8.22), Microsoft (azure-skills at 7.56), and Supabase (agent-skills at 7.52) all cleared it the boring way: license present, security posture acceptable, no flags.

The Transparency Gap, Again

Skill frontmatter supports a security section where authors declare which credentials a skill touches and which permissions it needs, plus an allowed-tools field that constrains what shell or HTTP calls it can make. Both are optional. Both earn a bonus on the tool_safety signal that can nudge a borderline composite up a tier.

Out of 118 skills surveyed, the security-transparency bonus came back as exactly zero for every single one. Not "rare" — literally none. The adoption rate of declared security posture is 0%, the same flat zero I measured across 200 ClawHub skills in April. Two different ecosystems, two months apart, the same result.

That consistency tells me this isn't an accident of one platform's defaults. It's a coordination problem: authors who constrain their own skills get no market recognition for it, and authors who don't face no penalty. The first agent platform — Hermes included — to require a populated security block as a publishing prerequisite would create a transparency floor across the whole cross-agent directory overnight.

What This Means for You

If you publish agent skills:

Add a LICENSE file. It's a one-commit change that moves you from Blocked to scored. Then add a security block to your skill frontmatter — declare credentials accessed, permissions needed, and constrain allowed-tools. You'll be in a literal 0% category, and the bonus often nudges a borderline composite into Verified.

If you install skills into Hermes:

15% of the most-installed skills are Verified. 20% are Blocked — most of those on a missing license, which is a legal risk rather than a malware risk, but a risk you're inheriting either way. The 64% in the middle is "probably fine," and these skills get system-level access to your machine and your Obsidian vault. Score before you install.

If you run an agent or a skill directory:

A 0% security-transparency rate and a 20% no-license rate among your most-installed entries are both coordination failures, not malice. Make a LICENSE file and a populated security block publishing prerequisites. Both rates move the day you ship the requirement.

If you write security or procurement policy:

"It's a public GitHub repo from a known company" is not the same as "we have a license to use it." A fifth of the most-installed skills here are from credible publishers and still legally unsafe to depend on commercially. A pre-install license check belongs in the same gate as a malware scan.

What This Data Doesn't Tell You

Honest limitations: The mcpskills.io engine scores the project around a skill — repo health, author signals, security posture, dependency hygiene, license clarity — not the runtime behavior of a skill at install or invocation. A skill could ship a perfectly valid license and still embed prompt injection in its instruction text; a Verified tier is a strong prior, not a guarantee. Static analysis catches obvious dangerous patterns in source files (eval, exec, credential exfiltration) but not novel runtime behavior or downstream agent context leaks. And NO_LICENSE reflects the absence of a LICENSE file at scan time — a repo that adds one later clears the block on the next scan. Treat the trust score as a strong prior, not a verdict.

Sample: the 118 most-installed skills in the skills.sh directory, by install count, scored on June 12, 2026. Install counts come from the directory itself. The set skews toward high-adoption, recognizable publishers because that's the head of the distribution — which is also where the no-license finding is most surprising and most consequential. A long-tail analysis would surface a different leaderboard and almost certainly a higher raw blocked rate.

Methodology

Discovery: the skills.sh search API plus GitHub topic search for hermes-* topics. 754 unique skills discovered; I scored the top 118 by install count.

Scoring: every skill ran through the production mcpskills.io engine — the same 15-signal algorithm available at mcpskills.io. All 118 were auto-detected as AI skills and scored in Skills Mode (the mode that adds tool_safety, supply_chain_safety, skill_spec_compliance, and known_vulnerabilities). Frontmatter was parsed for the security-transparency bonus; it came back zero for every skill. The full per-skill dataset is published at /data/latest.json under CC BY 4.0.

Full algorithm: /methodology.

Companion reports: The Trust Middle — State of MCP Server Security and State of ClawHub Trust.

Data sources

Every score in this report is reproducible from public data. The trust algorithm itself is an opinionated combination, but the inputs are not.

skills.sh directory — the cross-agent skill directory Hermes and other agents install from; source of the discovery set and install counts.
GitHub REST API — repository metadata, contributor graph, commit cadence, release history, issue responsiveness, file tree (for skill detection, LICENSE detection, and source scanning). docs.github.com/en/rest
OpenSSF Scorecard — security posture signals (branch protection, signed releases, dependency-update tooling, dangerous workflow patterns). scorecard.dev
OSV.dev — unified vulnerability database (GHSA + npm + PyPA + Go + RustSec) used to query the currently-installable version. osv.dev
CISA Known Exploited Vulnerabilities (KEV) — federal authoritative catalog of vulnerabilities with confirmed in-the-wild exploitation. cisa.gov/known-exploited-vulnerabilities-catalog
FIRST.org EPSS — Exploit Prediction Scoring System (30-day exploit probability for any CVE). first.org/epss

Prior research that motivated this work

MCP Skills — "State of ClawHub Trust" (Apr 2026): 200 ClawHub skills scored; 0% declared a security posture in frontmatter — the same transparency gap this report finds on skills.sh. /blog/state-of-clawhub-trust
MCP Skills — "The Trust Middle" (Jun 2026): 2,233 MCP servers, skills, and packages scored cross-registry; nothing scores above 9 and two-thirds sit in a 5–7 middle. /blog/the-trust-middle
Trail of Bits — "ClawHavoc" (Jan 2026): 1,184 malicious AI skills discovered on a major skill marketplace; 341 traced to a single actor. blog.trailofbits.com

Score your own skill

Free trust report — paste any GitHub repo, npm package, or skill URL before you install it into Hermes.

Open Scanner

State of Hermes Skill Security
June 2026