This is why I turned toward Hermes instead, with the heavy caveat that I’m still early. I’m testing it, not endorsing it. Take everything here as field notes, not a verdict.

What pushed me off OpenClaw

Both of these are the same risk class: a self-hosted agent with shell access, a messaging gateway, and persistent memory, reading attacker-controllable text and then running commands. That’s the job, and it’s the risk, for all of them, Hermes included. The question I kept circling wasn’t is it dangerous. It’s what the tool assumes about its own danger.

OpenClaw’s answer showed up in its marketplace. Skills on ClawHub aren’t passive text. They’re executable instructions the agent reads and acts on, and ClawHub was open by default, with thin review. So in late January 2026 a campaign called ClawHavoc flooded it with poisoned skills. By February 1, auditors found 341 malicious skills out of 2,857 on the platform, roughly one in eight, most of them from a single coordinated operation. They posed as crypto-trading helpers and integrations for names you’d trust, and used social engineering written into the skill files to get you (or your agent, acting for you) to run a “prerequisite” command. That command pulled the Atomic macOS Stealer: browser credentials, keychain passwords, wallet keys, SSH keys, session tokens. One fake “weather” skill grabbed the agent’s own .env full of API keys; another opened a reverse shell back to the attacker. The targets were people running it unattended on an always-on box in a closet, exactly the setup I was about to build.

To OpenClaw’s credit, they moved fast: VirusTotal scanning on every published skill, a patch closing forty-plus issues, and new ClawHub guardrails like publishing delays and auto-hiding reported skills. But “cleaned up after the malware shipped” is a different posture than “couldn’t ship that way in the first place,” and that posture is what I was shopping for.

What drew me toward Hermes

A Hermes skill is a knowledge document: a SKILL.md whose metadata has to declare the environment variables and credential files it touches, with no hardcoded secrets allowed. The default path is skills bundled with the install, an official catalog from Nous, or skills the agent writes for itself after solving something. Pulling a stranger’s skill is a deliberate choice, not the on-ramp. And if a skill carries a scheduled job, installing it doesn’t start that job. It’s registered as a suggestion you have to switch on. Persistence isn’t a side effect of clicking install, which matters when the entire ClawHavoc playbook depended on quietly establishing a foothold.

I won’t oversell it, because I’m still learning where the edges are. Hermes installs third-party skills from GitHub and community hubs too, and the moment you do you’re back in supply-chain territory no matter whose logo is on the agent. It has its own open issues: a known way for sandboxed code to slip past the command-approval system, no egress filtering on terminal commands, a Docker backend that’s run as root. There is no safe one. There’s only the one whose defaults point where a careful person would point them.

What tipped me was the blast radius. A poisoned ClawHub skill on a default OpenClaw box reached straight for the real host, ~/.clawdbot/.env and all. On Hermes I pick a sandbox backend, so the same poisoned skill reaches for the inside of a container I can throw away, behind a command-approval prompt and a hard-block list on the way out. Same attack, wildly different damage. That was enough to make me want to start.

Where I am with it

“For now” is doing real work in everything above. I haven’t stress-tested any of this myself. What I’ve actually done is read a lot, stand Hermes up in a sandbox backend, hand it one small job (checking whether Home Assistant is still up and nudging me if it isn’t), and sit back to watch how it behaves before I trust it with anything that matters. I haven’t tried to break the approval system. I haven’t read a single skill line by line. I’m watching the open issues the way you’d watch any young project you’ve let near your network.

What pulled me toward Hermes was never a guarantee. There isn’t one. It was that its defaults point where a careful version of me would point them, so I don’t have to be a hero to use it safely. That lowered the bar to start, and starting is how you actually learn a tool instead of admiring it from a browser tab.

I keep arriving at the same idea, so I’ll just say it: the best tool isn’t the most capable one, it’s the one you can adopt without lying to yourself about what you’ve done.

So yeah, I’m testing a robot that watches my network. Ask me in a few months whether I still trust it. Right now I trust it enough to keep going, and that’s the most I’ve ever said about an agent with shell access.

Check my work: the Hermes security docs and skills guide, the ClawHub malicious-skills findings and a postmortem of the incident, Hermes’s own open sandbox-bypass issue, and a skeptical take on the OpenClaw audit claims.