agentvault-hermes

v0.7.8 suspicious
5.0
Medium Risk

Native AgentVault plugin for the Hermes agent runtime — E2E encrypted owner-↔-agent and A2A messaging via MLS

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows moderate risks due to its shell execution capabilities and potentially obfuscated code, despite standard network and metadata practices. Further scrutiny is advised.

  • High shell risk due to subprocess.run usage
  • Potential obfuscation in the code
Per-check LLM notes
  • Network: Network calls using JWT and HTTPX client seem standard for API interactions.
  • Shell: Use of subprocess.run indicates execution of external commands which can be risky if not properly sanitized or controlled.
  • Obfuscation: The use of base64 decoding for cryptographic purposes is common but the code structure hints at potential obfuscation to hide logic or data.
  • Credentials: No clear signs of credential harvesting detected, but further investigation into how decrypted data is used is recommended.
  • Metadata: The missing repository and short author name raise concerns about the legitimacy of the package.

📦 Package Quality Overall: Low (4.8/10)

✦ High Test Suite 9.0

Test suite present — 7 test file(s) found

  • Test runner config found: conftest.py
  • Test runner config found: pyproject.toml
  • 7 test file(s) detected (e.g. conftest.py)
◈ Medium Documentation 7.0

Some documentation present

  • Documentation URL: "Documentation" -> https://agentvault.chat/docs/hermes
  • Detailed PyPI description (8591 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 330 type-annotated function signatures detected in source
○ Low Multiple Contributors 1.0

Could not retrieve contributor data from GitHub

  • GitHub API error: 404

🔬 Heuristic Checks

Outbound Network Calls score 4.5

Found 3 network call pattern(s)

  • jwt}" self._client = httpx.AsyncClient( base_url=self.base_url, timeout=sel
  • : self._http_client = httpx.AsyncClient() await self._connect() return self asy
  • try: async with httpx.AsyncClient(base_url=api_url, timeout=10.0) as client: a
Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

  • vice_id) ciphertext_in = base64.b64decode(parsed.data["ciphertext"]) res = agent.decrypt(ciphertex
  • ce_id) ciphertext_back = base64.b64decode(parsed_back.data["ciphertext"]) res_back = owner.decrypt
  • (s: str) -> bytes: return base64.b64decode(s.encode("ascii")) def _state_to_dict(state: PersistedStat
Shell / Subprocess Execution score 8.0

Found 4 shell execution pattern(s)

  • urn try: result = subprocess.run( ["hermes", "profile", "create", profile],
  • nv) try: result = subprocess.run( [ str(python),
  • "1" try: result = subprocess.run( [cli_bin, "--version"], capture_out
  • a agentvault_hermes.cli.setup.subprocess.run (the imported module reference). """ import subproces
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: agentvault.chat>

Suspicious Page Links

All external links appear legitimate

Git Repository History score 3.0

Repository not found (deleted or private)

  • Repository not found (deleted or private)
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agentvault-hermes 
Create a secure messaging application using Python's 'agentvault-hermes' package. Your application should allow users to register as owners and agents, facilitating end-to-end encrypted communication between them. Here’s a detailed breakdown of your task:

1. **User Registration**: Implement a registration system where users can sign up as either owners or agents. Owners will initiate conversations, while agents will respond to these requests.

2. **End-to-End Encryption**: Utilize 'agentvault-hermes' to ensure all messages exchanged between owners and agents are end-to-end encrypted. This means only the sender and receiver can decrypt the messages, ensuring privacy and security.

3. **Message Exchange**: Design a feature allowing owners to send encrypted messages to specific agents. Agents should be able to reply to these messages, maintaining the encrypted channel.

4. **Agent Management**: Provide functionality for owners to manage their list of agents. They should be able to add new agents, remove existing ones, and view their current list of managed agents.

5. **Message History**: Store a history of messages exchanged between each owner-agent pair, accessible only to the respective owner and agent involved in the conversation.

6. **User Interface**: Develop a simple command-line interface (CLI) for users to interact with the application easily. This includes commands for registering, sending messages, managing agents, and viewing message histories.

7. **Security Measures**: Ensure that all sensitive data (such as encryption keys) is securely stored and handled according to best practices.

8. **Testing**: Conduct thorough testing to verify the functionality and security of your application, focusing on both the encryption mechanism and user interaction.

By following these steps and utilizing the 'agentvault-hermes' package effectively, you'll create a robust, secure messaging solution tailored for private communications.