Hermes-style coding agents may miss dangerous shell tricks
Adversa AI’s GuardFall research points to a structural weakness in how such as Hermes, OpenCode, and Roo-Code check before running them. This is not one single CVE; it is a broader flaw in the safety layer. Many agents inspect the exact text of a command with regex or wildcard rules.
Bash can change that text when the command actually runs, through steps such as quote removal, $IFS substitution, and command substitution. As a result, a command that looks allowed during checking can turn into the dangerous command the agent was meant to block. In tests of 11 agents, 10 failed at least one of four bypass methods.
Continue was the only one reported to close most of this risk area. The most serious case may run without a separate user opt-in, for example through a malicious repository config that enables automatic tests with a poisoned test command after the first accepted edit.
Key points
- Hermes is named among affected by this class of safety problem.
- The weakness comes from checking command text before Bash rewrites it at run time.
- 10 of 11 tested agents failed at least one bypass method.
- A malicious repository config can make automatic tests a possible attack path.
- Hermes Agent users should avoid automatic command execution in untrusted projects and review commands before running them.