Hermes Agent users should be careful with automatic command runs
GuardFall is a security issue in such as Hermes, OpenCode, Roo-Code, and similar tools. These tools often check the visible command text against regex or wildcard rules before allowing it to run. Bash can change how that command is understood at runtime through quote removal, $IFS substitution, and command substitution.
A command that looks safe during the check can therefore become the dangerous command the tool meant to block. In tests across 11 agents, 10 failed at least one of four bypass methods. Continue reportedly blocked most of the risky surface.
The most serious case can happen without the operator choosing a command directly: a malicious repository config can turn on automatic tests and place a poisoned test command that runs after the first accepted edit.
Key points
- Hermes and similar may be vulnerable to command-check bypasses.
- Bash can reinterpret a command after the agent’s safety check has already passed.
- 10 of 11 tested agents failed at least one bypass method.
- A malicious repository config could trigger a poisoned automatic test command after an accepted edit.
- For unknown , turn off automatic tests and review manually.