Tips and usage for hermes-agent.nousresearch.com
Adversa AI’s GuardFall research points to a structural weakness in how open-source AI coding agents such as Hermes, OpenCode, and Roo-Code check shell commands before running them. This is not one single CVE; it is a broader flaw in the safety layer. Many agents inspect the exact text of a command with regex or wildcard rules. Bash can change that text when the command actually runs, through steps such as quote removal, $IFS substitution, and command substitution. As a result, a command that looks allowed during checking can turn into the dangerous command the agent was meant to block. In tests of 11 agents, 10 failed at least one of four bypass methods. Continue was the only one reported to close most of this risk area. The most serious case may run without a separate user opt-in, for example through a malicious repository config that enables automatic tests with a poisoned test command after the first accepted edit.
Hermes should be treated as an AI agent that can do real work, not as a simple chat tool. It can read and change files, run terminal commands, automate browsers, call APIs, use MCP servers, remember context, schedule jobs, and act through connected accounts. That power is why an IT or security team may block or limit it; this is normal information security, not just fear of AI. If Hermes can reach source code, credentials, company SaaS tools, client data, production systems, or outgoing messages, approval and controls are needed. The useful official docs to check are security approvals and blocklists, tools and terminal backends, MCP behavior and trust, Managed Scope for organization-pinned settings, and Nous Portal/Tool Gateway. This is practical workplace guidance, not legal, compliance, or cybersecurity policy advice.
Hermes Agent ran on a Hetzner virtual server with persistent memory, a skill system, scheduled jobs, and more than 60 tools. The setup was used for research, content drafts, Obsidian vault management, and git work. The previous model was Claude Opus 4.6, which worked well but became expensive because autonomous agents can use many tokens while running for long periods. GLM-5.2 is an open-weight model from Z.ai, and it worked in Hermes Agent after changing one config line. There was no fine-tuning and no major prompt rewrite. On OpenRouter, GLM-5.2 cost $0.93 per 1 million input tokens and $3.00 per 1 million output tokens, about 5 to 16 times cheaper than the compared Claude models. In benchmarks, it scored 74.4% on FrontierSWE, 62.1 on SWE-bench Pro, 77.0 on MCP-Atlas, and 81.0 on Terminal-Bench 2.1. It did not beat Opus 4.8 everywhere, but it stayed competitive, and multi-tool calls worked cleanly.
GuardFall is a security issue in AI coding agents such as Hermes, OpenCode, Roo-Code, and similar tools. These tools often check the visible command text against regex or wildcard rules before allowing it to run. Bash can change how that command is understood at runtime through quote removal, $IFS substitution, and command substitution. A command that looks safe during the check can therefore become the dangerous command the tool meant to block. In tests across 11 agents, 10 failed at least one of four bypass methods. Continue reportedly blocked most of the risky surface. The most serious case can happen without the operator choosing a command directly: a malicious repository config can turn on automatic tests and place a poisoned test command that runs after the first accepted edit.
Hermes Agent 0.18.0 was released with no open P0 or P1 items left in the repository. Over 12 days, the team closed about 692 top-priority items: 496 issues and 196 pull requests. The work covered about 1,720 commits from more than 370 contributors. The team also committed to keeping P0 and P1 at zero from now on. The main user-facing change is that Mixture-of-Agents is now treated like a normal model choice instead of a hidden setting. Named MoA presets now appear beside Claude, GPT, and Grok in the command line, terminal interface, desktop app, and gateway. Each reference model can show its reasoning in its own labeled block before the final model combines the results, which makes the answer easier to inspect. Related practical setups show Hermes being used with Kanban boards for several agents at once, and with GLM-5.2 through Z.AI, OpenRouter, or the GLM Coding Plan.
Hexus is a drop-in memory provider for Hermes Agent. It is meant to reduce the limits of Hermes Agent’s built-in memory, including the small character budget, missing semantic search, and memory loss after session resets. It stores memory in PostgreSQL with pgvector, and it creates embeddings on the user’s own device with sentence-transformers. This means normal use has no extra API cost, and the stored conversation data does not need to leave the machine. The default local model is MiniLM-L6-v2, but it can also fall back to Ollama or OpenAI-compatible services. Hexus also builds an entity graph that tracks which items appear together often in conversations. For example, if Docker images and Traefik were configured together, it can follow those links to answer a later question. It also uses CCR to compress large JSON, logs, and code before storage, which helps save the context token budget.
Meituan has released LongCat-2.0 under the MIT license. The model has 1.6 trillion total parameters, but it uses about 48 billion for each token it processes. It supports a native 1 million token context window, meaning it can handle very long inputs. The weights are still being uploaded to Hugging Face, while the API is already live at longcat.chat. For two months, the same model ran on OpenRouter under the anonymous name Owl Alpha, where it reached number 1 on Hermes Agent, number 2 on Claude Code, and number 3 on OpenClaw. VentureBeat reported about 10.1 trillion monthly tokens for Owl Alpha, up 242% month over month. Its main design choices are MoE, LongCat Sparse Attention for cheaper long-context inference on non-Nvidia hardware, and a 135 billion N-gram Embedding module that expands how the model represents token groups. On coding agent benchmarks, it scored 70.8 on Terminal-Bench 2.1, 59.5 on SWE-bench Pro, and 77.3 on SWE-bench Multilingual.
A mobile shell for Hermes Desktop is being proposed so Hermes can run like an app on a phone. It is not a new Hermes interface rebuilt from scratch. It loads the existing Hermes Desktop screen inside a WebView and connects it to a Hermes gateway. On first launch, the app asks for the gateway address, profile, and token, then saves those details on the device. The current work has been tested on a real iPhone, and the Expo project also includes Android configuration. Several phone-specific fixes are included, such as safer screen spacing, better keyboard behavior, easier sidebar navigation, larger tap targets, and list-to-detail settings screens that fit a small display. The work also includes iPhone install notes, screenshots, and a short demo video. It is not ready to merge yet because it needs to be rebased onto the current main branch, and there is still a package-lock.json conflict.
Hermes Desktop 0.17 produced a dangerous delete command while running a workflow with Qwen 3.6 27B through llama.cpp. The command was `rm -rf /c/d`, and it asked for permission before running, so it could be denied. The likely cause was not prompt injection from an outside source, but a bad choice by the agent after it misunderstood a file path. A custom ComfyUI storyboarding skill had been built by combining ideas from several GitHub repositories. During a save step, a path was handled in a confusing way because Windows MSYS/Git-Bash treats paths like `/c` and `/d` specially. That appears to have created folders in the wrong place on the C: drive. The agent then tried to clean up the mistaken folder structure and produced a risky delete command. The system’s permission check stopped the damage before it happened.
Hermes can import an OpenClaw, older Clawdbot, or Moldbot setup with `hermes claw migrate`. A normal run first shows a full preview, then asks for confirmation before changing anything. `--dry-run` only shows the preview, while `--preset full --migrate-secrets --yes` imports compatible settings and API key values without asking again. Hermes reads from `~/.openclaw/` by default and also detects older `~/.clawdbot/` and `~/.moltbot/` folders, plus older config files such as `clawdbot.json` and `moltbot.json`. The migration can bring over persona files such as SOUL.md, AGENTS.md, long-term memory, user profile data, skills, default model settings, provider settings, agent behavior, session reset rules, MCP servers, TTS settings, messaging settings for services like Telegram, Discord, and Slack, approval rules, and browser settings. API key values are not moved by default; `--migrate-secrets` must be added. Hermes looks for API key values in OpenClaw config values, the `.env` file, env fields inside the config, and auth profiles, then copies only keys on its supported allowlist. Items without a direct Hermes match are not thrown away; they are saved under `~/.hermes/migration/openclaw/<timestamp>/archive/` for manual review, including cron jobs, plugins, hooks, multi-agent lists, and complex channel settings. After migration, the setup should be checked by reading the report, reviewing archived files, starting a new session, running `hermes status`, restarting the gateway if messaging tokens were moved, checking session reset settings, re-pairing WhatsApp, and using `hermes claw cleanup` only after everything works.
A VPS running Hermes Agent was compromised through the godmode skill. The attacker added a malicious cron task that ran every minute, loaded godmode, and fetched a shell script from a remote server. Unauthorized SSH keys were added to both the normal user account and the root account, creating a way to return later. A firewall rule was also added to allow SSH access on port 22. The attacker installed xmrig, which connected to 192.3.188.151:8443 and used heavy CPU power for crypto mining. Provider rate limit warnings around 02:30 and 07:30 were caused by the miner’s CPU use, not gateway restarts. Cleanup removed the malicious cron task, killed and deleted xmrig, removed the rogue SSH keys, deleted suspicious scripts, locked root’s authorized_keys with chattr +i, and deleted the godmode skill.
This SOUL.md setup treats the default Hermes profile as a short identity and style guide. The example names the agent Robespierre and frames it as a Hermes agent running all day on a Mac mini M4 with 16 gigabytes of memory. The public version hides the real user name, but the profile includes a reminder about who the main user is. The main rule is to avoid putting operating procedures or project instructions inside SOUL.md. That material belongs in skills, project-specific AGENTS.md files, and wikis. The style guidance tells the agent to answer briefly, lead with the answer or action, skip filler, and avoid repeating what the user already said. This setup became stable after about four months of daily adjustment and then a few weeks of steady use.
On Windows 10, Hermes Desktop App may get stuck while connecting to a Google account or Google Workspace. A Windows Security window appears a few seconds after the app opens and asks for a security key for google.com. Pressing Cancel only hides the window for a short time before it returns. The window offers only two choices: scan a QR code with a phone or use a physical USB security key. Without a USB security key, the setup cannot move forward, and scanning the QR code shows a FIDO code but does not complete the connection. Hours of trying to fix it inside Hermes did not solve it. The current guidance points to a likely desktop app bug that should be reported to Nous Research.
Agent Skills are folders that teach an AI agent how to handle a specific task. A skill for invoice processing, for example, can contain one required SKILL.md file plus optional scripts, reference documents, and assets such as templates or images. SKILL.md is the main instruction file, with basic details such as the skill name and description plus the actual directions for the agent. The snapshot is dated July 10, 2026, and it does not introduce a new feature or make a new claim; it gathers public specifications, vendor documents, and published research into a beginner-level reference. It has not been verified through a full local build-and-test run. When research numbers are mentioned, they are tied to the named paper and limited to what that paper actually tested. Shaib et al. grouped low-quality AI writing into patterns such as thin information, off-topic content, repetition, formulaic structure, unclear logic, and the wrong tone; relevance, information density, and tone were the strongest warning signs.
Clifford is a command-line tool that saves local AI setups and reloads them with short commands. It can connect a user’s own backend to agents such as Pi, Hermes, and Claude Code. For example, using a Qwen3-32B model normally requires a long llama-server command, a manual model settings edit, and a separate Pi command. With Clifford, the flow can become a one-time profile setup, then short commands such as `clifford load qwen` and `clifford pi`. Clifford does not include ready-made backends, so users still need to bring their own local model setup. Official support is currently limited to llama-server, with vLLM support planned later.
In a firsthand test, Hermes agent was connected to GPT-5.5 and used to read 24 PDFs first, creating a baseline for what the files should say. The files were randomly chosen, only some shared the same format, and many were difficult items such as long thermal-paper invoice printouts. Hermes agent then helped set up a test bench on a DGX Spark to run several document extraction tools and vision language models against the same files. Different tools were strong in different ways. Nemotron Parse performed best overall because it could read every file and worked fairly quickly. It still made a few small reading mistakes, as optical character recognition tools often do. olmOCR stood out for accuracy because it handled common mix-ups such as the letter O and the number 0, but it was quite slow.
Several major models changed availability or pricing in the same week in July 2026, so the best model choice for agent work may need to be recalculated. GPT-5.6 became generally available on July 9, and Grok 4.5 became public on July 9. Claude Fable 5 moves to credits-only pricing on July 12, while Sonnet 5 keeps introductory pricing through August 31. Claude Fable 5 is listed at $10 input and $50 output per MTok, scored 80.3% on SWE-Bench Pro, and supports a 1M context. It is positioned as strong for deep analysis and complex reasoning, but too expensive to use as a daily default. The practical use case is a few truly hard tasks per week. GPT-5.6 Sol is listed at $5 input and $30 output per MTok, scored 91.9% on Terminal-Bench 2.1 in ultra mode, and supports a 1.05M context. Its ultra mode can run parallel sub-agents for complex work, and its model ID is gpt-5.6-sol.
ProtonSearch is a fast Windows launcher opened with Alt + Space, with an option to choose a different shortcut. It is meant to go beyond basic Windows Search by searching apps, files, folders, text inside files, text inside images, clipboard history, browser bookmarks and history, Git commits, Windows settings, and Control Panel pages. It claims support for searching inside more than 50 file types. Image text and clipboard image text are handled with OCR. The same search box can also run local commands, insert saved text snippets, start web searches, and search a selected part of the screen. Local AI agents powered by Hermes are included, so the tool points toward using PC search as the starting point for actions. ProtonSearch was previously called OmniSearch, is open-source, and is built as a local-first Windows tool.
Hermes Agent Upgrade can now use HY3 as another model behind the agent. HY3 comes from Tencent Hunyuan and is described as an open-source model for coding, tool calls, reasoning, and long agent workflows. It has 295 billion total parameters and about 21 billion active parameters used at a time. Its context window is 256,000 tokens, which makes it suitable for long documents and long chains of instructions. The existing Hermes setup does not need to be rebuilt; it can be pointed toward HY3 and tested on real work. The practical idea is model choice: one model may do better at visual coding, while another may handle tools more reliably.
Prometheus runs on hermes-agent and repeats a research cycle by itself. Its first build took about one month on one consumer PC, and it has kept running since then. The system creates its own research questions, sends work to several worker programs, runs experiments, keeps the code behind those experiments, and tracks the claims that come out of them. It has produced about 133,000 experiments and 77,000 claims so far. A major part of its work is trying to find where its own conclusions fail before trusting them. It uses adversarial replication, checks for counterexamples in other fields, compares claims with existing literature for novelty, and tests for independence and circular reasoning. On about 500 internal checks, it picked claims that would transfer to new fields with 58% success, only slightly better than chance, so it lowered its transfer confidence. One audit found that about 98% of its discovery list had not been checked against real-world data and had only passed simulations written by its own worker programs.
Hermes is being used as the execution engine for an autonomous AI newsroom that gathers information, finds trends, and publishes content. The project is open source under the Growth-OS repository on GitHub, and its main stack is Python and TypeScript. The work areas include collectors for X, Reddit, search, and research sources; trend and opportunity detection; browser automation with Browser Use and Playwright; AI agents and orchestration; an editorial decision engine; GEO and AI search intelligence; autonomous publishing; and learning from feedback. Contributions can include issues, ideas, architecture feedback, PRs, or work from people with experience in AI agents, browser automation, information retrieval, LLM orchestration, MCP, or similar systems.
Hermes can run many setup actions while helping with coding tasks. One task may install packages with npm or pip, install tools with Homebrew, pull Docker images, or clone Git repositories. After a few days, it can become unclear which package, container, or copied project came from which Hermes session. Agent Install Monitor is an open-source plugin that records installation and environment setup actions done through Hermes. It tracks package installs, Docker images, Git clones, services, and similar setup work. The history is stored locally in SQLite, and it does not send telemetry. It does not offer rollback or approval controls; its purpose is visibility into what Hermes installed during each session.
Hermes Agent is being used to sort email first, then update a separate project management tool so the to-do list reflects what came in through the inbox. The goal is not to turn the inbox itself into the to-do list. ClickUp is the current tool, but simple updates take many AI steps, so the workflow feels inefficient. The real need is a project management app that an AI assistant can navigate, edit, and keep organized with less friction. A ready-made project management tool is preferred over a self-hosted Obsidian setup.
MyClaw now lets people create Hermes instances alongside managed OpenClaw. The same one-click setup is available for both, so users can choose OpenClaw for one workflow and Hermes for another. Each instance runs in an isolated encrypted container. Users do not need to rent a VPS, set up Docker, use SSH, or keep a server running by hand. MyClaw is built for agents that take a goal, do the work, and send the result back where the user already works. Possible outputs include a daily brief, a monitoring alert, an inbox summary, or a report, delivered on a schedule or when requested.
Hermes Agent may fail when its `patch` and `write_file` tools try to change an existing file with tight permissions. The failure happens during an atomic write, where the tool first creates a temporary file in the same folder and later replaces the original file. If the original file is set to mode 400, meaning read-only, Hermes Agent copies that permission to the temporary file before writing the new content. The temporary file then becomes read-only too, so the write step is blocked and the final replace step never happens. Common signs include repeated permission errors on `.hermes-tmp` temporary files and warnings from the file-mutation verifier that the target file did not change. The error details can appear in `~/.hermes/logs/errors.log`. This can affect restricted files such as 400 journal files and 600 config files, and the likely problem area is `_atomic_write_same_fs` in `/tools/file_operations.py`.
Hermes felt fast and useful when it ran directly on a MacBook. It was used every day for real tasks because it fit into the local workflow, could work from the terminal, touch files, and run commands on the machine. A cleanup attempt used Codex to return the setup to something close to a fresh install, which removed most of the custom pieces that had been built around it. Only the Telegram connection was kept. After that, Hermes felt slower, less capable, and less worth using for real tasks. A new attempt is running Hermes on a remote server reached through SSH, but using it mainly through Telegram feels very limited. The missing piece is the old terminal-based setup, where Hermes could act more like part of the computer rather than only a chat interface.
Hermes Agent is being used to build a delivery service for a business. The goal is to create delivery orders inside a Telegram bot and find drivers who have already been registered. The problem is that the bot still shows the Hermes Agent command menu, and commands other than /start still work. Several sources and examples have already been tried, but the menu did not disappear and the commands were not disabled. The main unresolved question is whether Hermes Agent commands can be fully hidden or turned off inside a Telegram bot.
Hermes Agent with Grok is presented as more useful inside custom tools than as a normal chatbot. Simple questions can take about 10 seconds, so it may feel slow for quick answers. Tool-based tasks can take around one to two minutes because the system may need to search files, check context, or run connected actions. The practical claim is that it is better suited to larger work such as research, media generation, and automation than short chat replies. The item also promotes an AI Profit Boardroom video and an AI coaching, support, and course community.
A Windows Hermes Desktop setup with 8 GB RAM and a Ryzen 5500U needs to fetch specific Reddit posts and full comment threads automatically. The goal is to let scripts, cron jobs, and agents gather useful knowledge from public communities such as r/hermesagent, r/localllm, and r/ollama for daily digests, agent research, and a knowledge base. The easy routes are mostly blocked or unreliable. Reddit .json links return 403 errors, www.reddit.com RSS hits 429 rate limits, old.reddit.com RSS works only sometimes and can be blocked by IP, and public Redlib, RSSHub, and Teddit servers are often dead or too slow. Pushshift is no longer available, and PRAW does not solve the need for public subreddit access without Reddit OAuth. The current workaround tries old.reddit first, then six Redlib instances, three RSSHub instances, and three Teddit instances, but it only works from the current IP and fails from cron or other IPs. The needed method must be free, run on low memory, return posts and comments as JSON or clean Markdown, avoid Reddit OAuth for public subreddits, and be reliable without depending heavily on IP. Possible paths include self-hosted Redlib/RSSHub/Teddit, Playwright or undetected-chromedriver browser automation, free-tier APIs such as Firecrawl, Jina.ai, or ScrapingBee, and other lightweight bridges or scrapers.
GPT-5.6 appears to be moving into three fixed tiers called Sol, Terra, and Luna instead of frequently changing product names. Sol is the top tier for hard reasoning, coding, agent work, and research; it is the slowest and most expensive option. Terra is the middle tier for daily work, coding, writing, and analysis, and it is described as roughly GPT-5.5 quality at about half the cost. Luna is the fast, low-cost tier for chat, summaries, and large batches of simple work. For Hermes users, Sol is positioned as the best choice for deep debugging, architecture work, agent design, and long coding tasks. Sol is also described as the only tier with Max reasoning effort and Ultra sub-agent mode. Terra looks like the likely everyday choice for most Hermes workflows. Luna fits summaries, transcript cleanup, search-data prep, classification, compression, bulk translation, and other jobs where speed and cost matter more than the strongest reasoning. Preview API pricing lists Sol at $5 per 1 million input tokens and $30 per 1 million output tokens.