Socket Firewall Free wrapper for Hermes — block malicious dependencies during install
Project description
hermes-sfw
Socket Firewall Free plugin for Hermes Agent.
Block malicious dependencies at install time. Wrap any package manager command with sfw to get automatic protection — no API key, no config.
sfw action=run command="npm install express"
sfw action=status
Quick Start
Requires Python 3.11+ and the sfw CLI installed on the host system.
Option 1: Deploy script (recommended)
git clone https://github.com/TheEpTic/hermes-plugins.git
cd hermes-plugins/hermes-sfw
./deploy.sh
Then restart Hermes with /reset.
Option 2: Manual symlink
git clone https://github.com/TheEpTic/hermes-plugins.git
ln -s "$(pwd)/hermes-plugins/hermes-sfw/src/hermes_sfw" ~/.hermes/plugins/hermes-sfw
Then /reset in Hermes. The symlink points at the source tree, but Python modules are imported once, so code changes still require /reset or a Hermes process restart before they load.
Option 3: As a Python package
pip install git+https://github.com/TheEpTic/hermes-plugins.git#subdirectory=hermes-sfw
Then enable it and restart Hermes:
hermes plugins enable hermes-sfw
Features
sfw run — Execute Commands
Run any package manager command through sfw. Malicious packages are blocked automatically.
# Install a package
sfw action=run command="npm install express"
# Uninstall
sfw action=run command="npm uninstall lodash"
# Python packages
sfw action=run command="pip install flask"
sfw action=run command="uv pip install -r requirements.txt"
# Rust crates
sfw action=run command="cargo add serde"
# With verbose output
sfw action=run command="pnpm add -D vitest" verbose=true
# In a specific directory
sfw action=run command="npm install" workdir="/path/to/project"
Supported package managers: npm, yarn, pnpm (JS/TS), pip, pip3, uv (Python), cargo, rustup (Rust). npx is intentionally blocked because it can execute arbitrary package code.
Blocked packages: When sfw detects a malicious package, the install is blocked and the package name is returned in the response. Non-package-manager commands (like cat, rm, curl) are rejected by the prefix allowlist.
Output truncation: Output exceeding 10,000 characters is automatically truncated with a size note.
sfw status — Check Installation
Verify sfw is installed and get the version.
sfw action=status
Returns: installed (bool), version (string), binary (path).
How It Works
hermes-sfw is a thin wrapper around the sfw CLI. It:
- Validates the command starts with an allowed package manager prefix
- Resolves and validates the working directory (if specified)
- Executes the command through
sfwwith timeout protection - Parses stdout/stderr for blocked and installed package indicators
- Returns structured JSON with success status, output, and parsed results
Configuration
All settings live in src/hermes_sfw/manager.py as an SFWConfig dataclass:
| Setting | Default | Description |
|---|---|---|
sfw_bin |
sfw |
Path to the sfw binary |
timeout |
300s | Max seconds per command |
Architecture
src/hermes_sfw/
├── __init__.py # Plugin registration + Hermes hooks
├── manager.py # SFWManager — command execution + output parsing
├── schemas.py # Tool schema (what the LLM sees)
├── utils.py # ok(), err(), require() helpers
├── py.typed # PEP 561 marker
└── handlers/
├── __init__.py
└── sfw.py # sfw tool handler
Key design decisions:
SFWManagerowns all state. No module-level mutable state.- Command prefix allowlist prevents arbitrary command execution through sfw.
shlex.split()parsing with error handling catches malformed commands early.- Output sanitization truncates long outputs to prevent context overflow.
OSErrorerrno mapping provides clean error messages without leaking internals.
Security
See SECURITY.md for the full picture.
Defaults you should know about:
- Only package manager commands are allowed (prefix allowlist: npm, yarn, pnpm, pip, cargo, etc.)
- Non-package-manager commands (
cat,rm,curl, etc.) are rejected - Commands run with the permissions of the Hermes agent process
Hardening applied:
- Command prefix validation via allowlist before execution
shlex.split()with error handling prevents shell injection- Workdir resolved with
os.path.realpath()to prevent path traversal - Output truncated at 10K chars to prevent context overflow
- Timeout protection prevents hanging installs
Requirements
- Python 3.11+
- sfw CLI installed on PATH
- Hermes Agent
Troubleshooting
"sfw is not installed"
Install sfw globally: npm i -g sfw. The plugin searches PATH and common locations (~/.local/share/pnpm/bin/, /usr/local/bin/, ~/.npm-global/bin/).
Command rejected with "not allowed"
Only package manager commands are allowed. If you need to add a prefix, modify _ALLOWED_PREFIXES in manager.py.
Command timeout
Default timeout is 5 minutes (300s). For very large installs, this may not be enough. Override via SFWConfig(timeout=...) when creating the manager.
Output looks truncated This is intentional — outputs over 10K chars are truncated with a size note. The full output is in the raw stdout/stderr fields.
Development
git clone https://github.com/TheEpTic/hermes-plugins.git
cd hermes-plugins/hermes-sfw
python -m venv .venv && source .venv/bin/activate
pip install -e '.[dev]'
# Run checks
black --check src/hermes_sfw/ tests/
mypy src/hermes_sfw/
pytest
See CONTRIBUTING.md for guidelines.
License
MIT — see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file hermes_sfw-0.2.2.tar.gz.
File metadata
- Download URL: hermes_sfw-0.2.2.tar.gz
- Upload date:
- Size: 32.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8a9a2dac6389e4a2a557f074e925cfee11a48c38d0c161a20986f0ffa8764473
|
|
| MD5 |
db615991ce96d6113cbcc92cce8afe89
|
|
| BLAKE2b-256 |
ea86c0cd814137190611b722cf06fc0033b47e600a091d6c19172080050f8182
|
Provenance
The following attestation bundles were made for hermes_sfw-0.2.2.tar.gz:
Publisher:
pypi-publish-sfw.yml on TheEpTic/hermes-plugins
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hermes_sfw-0.2.2.tar.gz -
Subject digest:
8a9a2dac6389e4a2a557f074e925cfee11a48c38d0c161a20986f0ffa8764473 - Sigstore transparency entry: 2158684746
- Sigstore integration time:
-
Permalink:
TheEpTic/hermes-plugins@63c4b2c0e71a3fe2f2f5692a136424cb8c857278 -
Branch / Tag:
refs/tags/hermes-sfw-v0.2.2 - Owner: https://github.com/TheEpTic
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi-publish-sfw.yml@63c4b2c0e71a3fe2f2f5692a136424cb8c857278 -
Trigger Event:
push
-
Statement type:
File details
Details for the file hermes_sfw-0.2.2-py3-none-any.whl.
File metadata
- Download URL: hermes_sfw-0.2.2-py3-none-any.whl
- Upload date:
- Size: 14.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e1d2147303dc7064fe378f9679760ec28728936cdbed39312f5fc734d9d6f0ea
|
|
| MD5 |
828dbe0ba8bc0d355320dbb2959de4f8
|
|
| BLAKE2b-256 |
39527f93f63846083b32a21478ad97df0a52199b58126a903a8e89c9c21ceca5
|
Provenance
The following attestation bundles were made for hermes_sfw-0.2.2-py3-none-any.whl:
Publisher:
pypi-publish-sfw.yml on TheEpTic/hermes-plugins
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hermes_sfw-0.2.2-py3-none-any.whl -
Subject digest:
e1d2147303dc7064fe378f9679760ec28728936cdbed39312f5fc734d9d6f0ea - Sigstore transparency entry: 2158684811
- Sigstore integration time:
-
Permalink:
TheEpTic/hermes-plugins@63c4b2c0e71a3fe2f2f5692a136424cb8c857278 -
Branch / Tag:
refs/tags/hermes-sfw-v0.2.2 - Owner: https://github.com/TheEpTic
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi-publish-sfw.yml@63c4b2c0e71a3fe2f2f5692a136424cb8c857278 -
Trigger Event:
push
-
Statement type: