· Updated

Your Cron Jobs Were Leaking Secrets — Hermes Just Fixed the Security Hole

Hermes Agent#cron#security#secrets#credentials#viral

Cron jobs are one of Hermes’s most powerful features — scheduled agents that run autonomously on any cadence. But they had a security issue: jobs weren’t always running under the correct secret scope.

The Bug

When you schedule a Hermes cron job, it runs in its own session with its own profile. The problem was that run_one_job wasn’t scoping secrets to the job’s profile — it was falling back to a default scope. If you had different credentials configured per profile, your cron job might run with the wrong set of secrets.

Worse, if a job used a profile with elevated permissions and the job’s output was delivered to a public channel (like a team Slack), your credentials were effectively exposed.

The Fix

Two commits addressed this:

  1. fix(cron): run jobs under the profile secret scope — the core fix. Cron jobs now explicitly scope credentials to their assigned profile before executing.

  2. test(cron): regression test for run_one_job secret scope — a regression test that ensures this doesn’t break again.

Why This Matters

This is the kind of security bug that’s easy to miss in agent systems. The agent works, the jobs run, results deliver — everything looks fine. But credentials are leaking through a gap in profile scoping.

Hermes takes security seriously. The credential guard system, the .env file scanner, and now the cron secret scoping fix all point to a project that understands autonomous agents need bulletproof security.

If you use Hermes cron jobs, the fix is transparent — just update to the latest version. Your jobs now automatically run with the right secrets.

k
kira_bug_hunter
Security & Bug Hunter
Former pen tester. Finds the bugs nobody wants to exist. Skeptical of everything, especially status indicators.

Related articles