From dfe62457fb56fece88a4808ccf5adfc9094bea7b Mon Sep 17 00:00:00 2001
From: davida-ps <david.a@prompt.security>
Date: Thu, 7 May 2026 14:58:08 +0300
Subject: [PATCH] Include hermes-agent in NVD queries and export keywords to
 environment (#226)

* fix(workflow): expand NVD Hermes coverage and keep keyword export

* fix(workflow): export concise nvd summary keywords
---
 .github/workflows/poll-nvd-cves.yml | 7 +++++--
 scripts/feed-utils.sh               | 9 +++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/poll-nvd-cves.yml b/.github/workflows/poll-nvd-cves.yml
index 77f234b..fe8bbbc 100644
--- a/.github/workflows/poll-nvd-cves.yml
+++ b/.github/workflows/poll-nvd-cves.yml
@@ -217,6 +217,9 @@ jobs:
           KEYWORDS_PATTERN="$(nvd_keyword_pattern)"
           GITHUB_PATTERN="$(nvd_github_ref_pattern)"
           CPE_PATTERN="$(nvd_cpe_pattern)"
+          # Export concise project keyword groups for PR body + workflow summary steps
+          KEYWORDS="$(nvd_summary_keywords)"
+          echo "KEYWORDS=$KEYWORDS" >> "$GITHUB_ENV"
 
           # Combine all fetched CVEs
           echo '{"vulnerabilities":[]}' > tmp/combined.json
@@ -398,7 +401,7 @@ jobs:
                 | (
                     (if ($blob | test("github\\.com/openclaw/openclaw|\\bopenclaw\\b|\\bclawdbot\\b|\\bmoltbot\\b")) then ["openclaw@*"] else [] end)
                     + (if ($blob | test("github\\.com/qwibitai/nanoclaw|\\bnanoclaw\\b|whatsapp-bot|\\bbaileys\\b")) then ["nanoclaw@*"] else [] end)
-                    + (if ($blob | test("github\\.com/softwarepub/hermes|cpe:2\\.3:a:software-metadata\\.pub:hermes|\\bhermes workflow\\b|software publication with rich metadata")) then ["hermes@*"] else [] end)
+                    + (if ($blob | test("github\\.com/softwarepub/hermes|github\\.com/nousresearch/hermes-agent|cpe:2\\.3:a:software-metadata\\.pub:hermes|\\bhermes workflow\\b|\\bhermes-agent\\b|software publication with rich metadata")) then ["hermes@*"] else [] end)
                     + (if ($blob | test("github\\.com/[^/]+/picoclaw|\\bpicoclaw\\b|cpe:2\\.3:[aho]:[^:]*:picoclaw(?::|$)")) then ["picoclaw@*"] else [] end)
                   )
               );
@@ -640,7 +643,7 @@ jobs:
                 | (
                     (if ($blob | test("github\\.com/openclaw/openclaw|\\bopenclaw\\b|\\bclawdbot\\b|\\bmoltbot\\b")) then ["openclaw@*"] else [] end)
                     + (if ($blob | test("github\\.com/qwibitai/nanoclaw|\\bnanoclaw\\b|whatsapp-bot|\\bbaileys\\b")) then ["nanoclaw@*"] else [] end)
-                    + (if ($blob | test("github\\.com/softwarepub/hermes|cpe:2\\.3:a:software-metadata\\.pub:hermes|\\bhermes workflow\\b|software publication with rich metadata")) then ["hermes@*"] else [] end)
+                    + (if ($blob | test("github\\.com/softwarepub/hermes|github\\.com/nousresearch/hermes-agent|cpe:2\\.3:a:software-metadata\\.pub:hermes|\\bhermes workflow\\b|\\bhermes-agent\\b|software publication with rich metadata")) then ["hermes@*"] else [] end)
                     + (if ($blob | test("github\\.com/[^/]+/picoclaw|\\bpicoclaw\\b|cpe:2\\.3:[aho]:[^:]*:picoclaw(?::|$)")) then ["picoclaw@*"] else [] end)
                   )
               );
diff --git a/scripts/feed-utils.sh b/scripts/feed-utils.sh
index ccf5b00..d2fa985 100644
--- a/scripts/feed-utils.sh
+++ b/scripts/feed-utils.sh
@@ -45,18 +45,23 @@ keyword|NanoClaw
 keyword|WhatsApp-bot
 keyword|baileys
 keyword|hermes workflow
+keyword|hermes-agent
 keyword|Picoclaw
 virtualMatchString|cpe:2.3:a:software-metadata.pub:hermes
 virtualMatchString|cpe:2.3:a:picoclaw:picoclaw
 EOF
 }
 
+nvd_summary_keywords() {
+  echo 'openclaw, nanoclaw, hermes, picoclaw'
+}
+
 nvd_keyword_pattern() {
-  echo 'OpenClaw|clawdbot|Moltbot|openclaw|NanoClaw|nanoclaw|WhatsApp-bot|baileys|HERMES workflow|software publication with rich metadata|Picoclaw|picoclaw'
+  echo 'OpenClaw|clawdbot|Moltbot|openclaw|NanoClaw|nanoclaw|WhatsApp-bot|baileys|HERMES workflow|hermes-agent|software publication with rich metadata|Picoclaw|picoclaw'
 }
 
 nvd_github_ref_pattern() {
-  echo 'github\.com/openclaw/openclaw|github\.com/qwibitai/nanoclaw|github\.com/softwarepub/hermes|github\.com/[^/]+/picoclaw'
+  echo 'github\.com/openclaw/openclaw|github\.com/qwibitai/nanoclaw|github\.com/softwarepub/hermes|github\.com/nousresearch/hermes-agent|github\.com/[^/]+/picoclaw'
 }
 
 nvd_cpe_pattern() {