Issue Station
Sign In
Tools hereToolbox

hermes - 💡(How to fix) Fix Feature: Immutable/protected skills - prevent agent from modifying critical skills without user approval [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#25083Fetched 2026-05-14 03:49:09
View on GitHub
Comments
0
Participants
1
Timeline
3
Reactions
0
Author
spiky02plateauspiky02plateau
Participants
spiky02plateauspiky02plateau
Timeline (top)
labeled ×3

Root Cause

Users building domain-critical workflows (financial analysis, medical, legal, security) need to encode principles that the agent must follow but cannot self-modify. The current architecture assumes the agent is always right about what to learn — but in high-stakes domains, the human must control which rules are negotiable and which are not.

The conditional activation system (requires_toolsets, fallback_for_tools) already demonstrates metadata-driven skill behavior. Adding immutable follows the same pattern.

Fix Action

Fix / Workaround

The skill_manage tool treats all skills as fully mutable. The agent can create, patch, edit, or delete any skill in ~/.hermes/skills/ at any time. There is no way to protect critical skills (governance rules, safety constraints, domain-specific principles) from being modified or shadowed by the agent.

  1. skill_manage rejects any action (create/patch/edit/delete) on the skill
  2. Local shadow copies cannot override an immutable skill from an external directory
  3. Only user-initiated CLI commands can modify the skill:
    • hermes skills unlock <name> — temporarily allows modifications
    • hermes skills lock <name> — re-enables protection
    • hermes skills edit <name> — opens in $EDITOR (works on locked skills since it is user-initiated)
  4. Agent attempts to modify immutable skills log a warning and notify the user via the active messaging channel

Code Example

---
name: my-governance-skill
metadata:
  hermes:
    immutable: true
---
RAW_BUFFERClick to expand / collapse

Problem

The skill_manage tool treats all skills as fully mutable. The agent can create, patch, edit, or delete any skill in ~/.hermes/skills/ at any time. There is no way to protect critical skills (governance rules, safety constraints, domain-specific principles) from being modified or shadowed by the agent.

While external_dirs skills are read-only, the agent can create a local shadow copy with the same name that takes precedence — effectively replacing the protected skill without the user knowing.

Proposed Solution

Add an immutable flag to SKILL.md frontmatter:

---
name: my-governance-skill
metadata:
  hermes:
    immutable: true
---

Behavior when immutable: true:

  1. skill_manage rejects any action (create/patch/edit/delete) on the skill
  2. Local shadow copies cannot override an immutable skill from an external directory
  3. Only user-initiated CLI commands can modify the skill:
    • hermes skills unlock <name> — temporarily allows modifications
    • hermes skills lock <name> — re-enables protection
    • hermes skills edit <name> — opens in $EDITOR (works on locked skills since it is user-initiated)
  4. Agent attempts to modify immutable skills log a warning and notify the user via the active messaging channel

Why This Matters

Users building domain-critical workflows (financial analysis, medical, legal, security) need to encode principles that the agent must follow but cannot self-modify. The current architecture assumes the agent is always right about what to learn — but in high-stakes domains, the human must control which rules are negotiable and which are not.

The conditional activation system (requires_toolsets, fallback_for_tools) already demonstrates metadata-driven skill behavior. Adding immutable follows the same pattern.

Alternatives Considered

  • Filesystem permissions (chmod 444): Fragile, breaks agent tool flow, not portable
  • Git-tracked external dirs only: Agent can still shadow locally; detection not prevention
  • Separate "protected" directory: Would work but adds conceptual complexity vs a simple metadata flag

Related

  • The external_dirs read-only behavior already proves the concept of permission-scoped skill access
  • The skill_manage tool already has action-based routing — adding a permission check is a small extension

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#training loop#device allocation#model download#tokenizer error#prompt formatting

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING