feat(skills): refuse skill_manage writes on pinned skills#17562
Merged
Conversation
Extend curator's pin flag from 'skip auto-transitions' to 'no agent edits at all'. All five skill_manage mutation actions (edit, patch, delete, write_file, remove_file) now refuse pinned skills with a message pointing the user at `hermes curator unpin <name>`. Motivation: pin used to only stop the curator's own maintenance pass from touching a skill. Nothing prevented the main agent from editing or deleting a pinned skill via skill_manage in-session. This gives users a hard fence against unwanted agent edits — same semantics as curator pinning, extended to the write tool. Create is unaffected (you can't pin a name that doesn't exist yet, and name collisions already error out). Broken sidecars fail open rather than lock the agent out. The schema description advertises the new refusal so models know not to route around it with rename/recreate tricks.
alt-glitch
added
type/feature
teknium1
added a commit
that referenced
this pull request
Apr 29, 2026
…17578) Add a dedicated 'Pinning a skill' section that covers both gating layers — curator auto-transitions AND the agent's skill_manage tool — so users know what the flag actually protects against after PR #17562. Updates the one-line claim in 'How it runs' to cross-link the new section instead of only mentioning auto-transitions.
donald131
pushed a commit
to donald131/hermes-agent
that referenced
this pull request
May 2, 2026
…ch#17562) Extend curator's pin flag from 'skip auto-transitions' to 'no agent edits at all'. All five skill_manage mutation actions (edit, patch, delete, write_file, remove_file) now refuse pinned skills with a message pointing the user at `hermes curator unpin <name>`. Motivation: pin used to only stop the curator's own maintenance pass from touching a skill. Nothing prevented the main agent from editing or deleting a pinned skill via skill_manage in-session. This gives users a hard fence against unwanted agent edits — same semantics as curator pinning, extended to the write tool. Create is unaffected (you can't pin a name that doesn't exist yet, and name collisions already error out). Broken sidecars fail open rather than lock the agent out. The schema description advertises the new refusal so models know not to route around it with rename/recreate tricks.
donald131
pushed a commit
to donald131/hermes-agent
that referenced
this pull request
May 2, 2026
…ousResearch#17578) Add a dedicated 'Pinning a skill' section that covers both gating layers — curator auto-transitions AND the agent's skill_manage tool — so users know what the flag actually protects against after PR NousResearch#17562. Updates the one-line claim in 'How it runs' to cross-link the new section instead of only mentioning auto-transitions.
This was referenced May 3, 2026
nickdlkk
pushed a commit
to nickdlkk/hermes-agent
that referenced
this pull request
May 11, 2026
…ch#17562) Extend curator's pin flag from 'skip auto-transitions' to 'no agent edits at all'. All five skill_manage mutation actions (edit, patch, delete, write_file, remove_file) now refuse pinned skills with a message pointing the user at `hermes curator unpin <name>`. Motivation: pin used to only stop the curator's own maintenance pass from touching a skill. Nothing prevented the main agent from editing or deleting a pinned skill via skill_manage in-session. This gives users a hard fence against unwanted agent edits — same semantics as curator pinning, extended to the write tool. Create is unaffected (you can't pin a name that doesn't exist yet, and name collisions already error out). Broken sidecars fail open rather than lock the agent out. The schema description advertises the new refusal so models know not to route around it with rename/recreate tricks.
nickdlkk
pushed a commit
to nickdlkk/hermes-agent
that referenced
this pull request
May 11, 2026
…ousResearch#17578) Add a dedicated 'Pinning a skill' section that covers both gating layers — curator auto-transitions AND the agent's skill_manage tool — so users know what the flag actually protects against after PR NousResearch#17562. Updates the one-line claim in 'How it runs' to cross-link the new section instead of only mentioning auto-transitions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pinning a skill now blocks the agent's skill_manage tool from editing or deleting it — not just the curator's auto-transitions. Users get a hard fence against unwanted agent edits.
Changes
tools/skill_manager_tool.py: new_pinned_guard(name)helper; called in_edit_skill,_patch_skill,_delete_skill,_write_file,_remove_fileright after the skill is located. Returns{success: false, error: "...hermes curator unpin <name>..."}on a pinned skill.tools/skill_manager_tool.py: schema description advertises the refusal so models don't try to route around it (rename/recreate).tests/tools/test_skill_manager_tool.py: 8 new tests inTestPinnedGuard— one per action, one proving sibling skills are unaffected, one proving a broken sidecar fails open.Design notes
~/.hermes/skills/.usage.jsonshouldn't lock the agent out of every skill it's otherwise allowed to touch.--unpin-firstparam on skill_manage) — the point of pinning is to stop the agent from routing around the fence.Validation
skill_manage action=edithermes curator unpinHow users pin
hermes curator pin <skill>/hermes curator unpin <skill>— CLI subcommands already shipped with the curator. Only agent-created skills are pinnable (bundled/hub skills are gated out with an explicit error by the curator CLI).