Summary
In a vanilla Hermes deployment, \ is OFF by default. As a result, when an end user converses with the agent through the gateway (Telegram, Discord), Hermes routinely echoes back live API key values as part of its visible chat responses (and writes them verbatim into ). For non-technical users this is invisible until something is breached.
Reproduction (real-world deployment)
Production Hermes Agent v0.11.0 on a Hostinger KVM2 VPS (Ubuntu 24.04), \ not set in .
Scanning conversation history for the exact values of credentials present in \ (read each \ from .env, grep -F for the value across session files):
- 24 distinct env-defined credentials were found leaked
- 345 files in \ and \ contained at least one credential value
- Top hit-counts for genuinely sensitive keys:
- OPENROUTER_API_KEY: 412 occurrences
- GHL_AUTH_TOKEN: 80
- BRAVE_API_KEY: 68
- DATAFORSEO_PASSWORD: 66
- VAPI_AUTH_TOKEN: 50
- AI_GATEWAY_API_KEY: 24
- GITHUB_PAT_HERMES: 20
- HOSTINGER_API_TOKEN: 19
- N8N_API_KEY: 17
- PAPERCLIP_API_KEY: 2
The session JSONs are debug dumps (related to #8518) but the same content is also visible in the user-facing chat — meaning end users read their own keys back to themselves over Telegram/Discord, and the keys persist in any cloud chat backups (Telegram cloud, Discord servers).
Impact
- User-visible leak vector: end users who never look at JSON dumps still see keys in their chat history.
- Cloud transit: Telegram/Discord servers now hold copies of these keys.
- No warning at gateway startup that redaction is off; user doesn't know to opt in until they audit.
Existing partial coverage
The redaction infrastructure is already excellent — \ has thoughtful patterns for OpenAI keys, GitHub PATs, Slack tokens, AWS keys, JWTs, Telegram bot tokens, DB connection strings, etc. \ already imports . The only thing missing is making it on by default.
Suggested fix (priority order)
- Change default to ON. \ (default 'true' instead of '').
- Loud opt-out warning. If user explicitly sets , gateway logs a prominent warning at startup ().
- Startup audit. On gateway start, scan \ mtime <30 days for cred prefix patterns; if hits found and redaction is OFF, log a one-time warning recommending opt-out users review.
- Documentation. README quickstart should explicitly call out the env var (currently it's only in code comments).
Related
Workaround (for users hitting this now)
Filed via gh CLI from a real affected user's VPS after a 24-cred / 345-file remediation.
Summary
In a vanilla Hermes deployment, \ is OFF by default. As a result, when an end user converses with the agent through the gateway (Telegram, Discord), Hermes routinely echoes back live API key values as part of its visible chat responses (and writes them verbatim into ). For non-technical users this is invisible until something is breached.
Reproduction (real-world deployment)
Production Hermes Agent v0.11.0 on a Hostinger KVM2 VPS (Ubuntu 24.04), \ not set in .
Scanning conversation history for the exact values of credentials present in \ (read each \ from .env, grep -F for the value across session files):
The session JSONs are debug dumps (related to #8518) but the same content is also visible in the user-facing chat — meaning end users read their own keys back to themselves over Telegram/Discord, and the keys persist in any cloud chat backups (Telegram cloud, Discord servers).
Impact
Existing partial coverage
The redaction infrastructure is already excellent — \ has thoughtful patterns for OpenAI keys, GitHub PATs, Slack tokens, AWS keys, JWTs, Telegram bot tokens, DB connection strings, etc. \ already imports . The only thing missing is making it on by default.
Suggested fix (priority order)
Related
Workaround (for users hitting this now)
Filed via gh CLI from a real affected user's VPS after a 24-cred / 345-file remediation.