In early 2026, Censys counted over 21,000 publicly exposed AI agent instances on the open internet. Security researchers at Koi Security found more than 820 malicious skills on a popular agent skill hub. A social-network for AI agents leaked 1.5 million API tokens from an unsecured database. The question is no longer whether open-source AI agents are powerful enough. The question is whether they are safe enough for your business data.
This post compares the security architectures of OpenClaw and Hermes Agent at the level that matters for a founder: what stops unauthorized people from talking to your agent, what stops the agent from running dangerous commands, and what stops your data from leaving your infrastructure. If you want the broader feature comparison first, start with our strategic comparison.
Why Security Is the First Decision, Not the Last
An AI agent with access to your messaging channels, customer data, and internal tools is not a chatbot. It is an employee with system access. If a human employee had no login credentials, no access controls, and could run any command on your server without approval, you would fire them on day one. The same standard applies to AI agents.
Retrofitting security after deployment is expensive. Gartner estimates that by 2030, 40 percent of enterprises will experience a data breach from unauthorized AI use. For founders, the cost of a breach is not just the technical cleanup. It is lost customer trust, regulatory exposure, and the opportunity cost of the weeks you spend on incident response instead of building product.
The Security Comparison at a Glance
| Security Layer | OpenClaw | Hermes Agent | What This Protects |
|---|---|---|---|
| Authentication | Token, password, or trusted-proxy modes; Ed25519 challenge-response for devices | Platform allowlists (per-channel environment variables); OAuth pairing store | Stops unauthorized users from reaching your agent |
| Device Pairing | Cryptographic challenge-response with per-device tokens; revocation via CLI | User allowlists per platform; pairing store for web access | Controls which phones, laptops, and apps can connect |
| Tool Execution Safety | 6+ tier cascading policy system; global, agent, group, and sandbox-level allow/deny lists | Dangerous command detection with approval gate; always/never/once modes | Prevents the agent from running destructive commands |
| Sandboxing | Session-based isolation; optional per-session containerization for non-main sessions | 6 execution backends; hardened containers with read-only filesystem, dropped capabilities, PID limits | Limits blast radius if the agent does something unexpected |
| Data Isolation | Per-agent workspaces, per-agent memory databases, session-key routing prevents cross-leak | Per-session SQLite storage, platform-keyed sessions, local-only persistence | Keeps customer A's data out of customer B's conversations |
| Telemetry | Configurable; local-first storage | Zero telemetry by design; no data leaves your machine unless you configure it | Your conversations and usage patterns stay private |
| Secret Management | SecretRef system (env vars, files, exec commands); no hardcoded credentials | Dotenv file storage; error logs redact secrets automatically | API keys and tokens are not exposed in config files or logs |
| Security Auditing | Built-in "doctor" command scans for misconfigurations and security warnings | Iteration budgets and runaway prevention (90-turn limit with warnings at 70% and 90%) | Catches security drift before it becomes a breach |
Key Takeaway
OpenClaw is built for multi-user, multi-device environments where access control and data isolation across teams matter most. Hermes Agent is built for single-operator environments where zero telemetry and container-level sandboxing matter most. Both are dramatically more secure than running a raw API wrapper with no access controls, which is unfortunately what many early AI deployments still look like.
Authentication: Who Gets In the Door
Authentication is the first wall. If someone unauthorized can talk to your agent, every other security layer is already fighting uphill.
OpenClaw: Cryptographic Device Pairing
OpenClaw defaults to token-based authentication for its gateway connection. Every new device that connects must complete a cryptographic challenge-response handshake using Ed25519 signatures. The gateway sends a random challenge, the device signs it with its private key, and the gateway verifies the signature against the stored public key. This is the same pattern banks use for device registration.
Once paired, each device gets its own token that can be individually rotated or revoked from the command line. If an employee leaves or a phone is lost, you revoke that one device without disrupting every other connection. OpenClaw also supports role-based access control with granular permission scopes: read-only, write, chat, admin, and more. A support agent can be restricted to chat-only access while the founder keeps full admin control.
On the messaging side, OpenClaw defaults to "pairing mode" for direct messages. Unknown senders receive a pairing code. Their messages are silently dropped until a human approves the pairing. Switching to "open mode" requires explicit opt-in with a wildcard allowlist, making accidental exposure unlikely.
Hermes Agent: Platform Allowlists
Hermes Agent uses environment variable allowlists to control who can interact with the agent on each platform. You set TELEGRAM_ALLOWED_USERS or DISCORD_ALLOWED_USERS to restrict access to specific user IDs. Authorization is checked before the system allocates any resources, so unauthorized messages fail fast without consuming compute.
For web-based access, Hermes uses a pairing store with OAuth-style token exchange. New users undergo a pairing flow and receive authorization tokens tied to their platform identity.
Founder verdict: OpenClaw's cryptographic device pairing and role-based scopes give you more granular control, which matters when multiple people or devices access the same agent. Hermes's allowlist approach is simpler and effective for single-operator setups where you know exactly who should have access.
Tool Execution: What the Agent Is Allowed to Do
An AI agent that can run terminal commands, edit files, and call external services is powerful. It is also dangerous if those capabilities are not controlled. The difference between a useful agent and a liability is whether it asks before running rm -rf.
OpenClaw: Cascading Policy Tiers
OpenClaw enforces tool access through a 6+ tier cascading policy system. A tool must pass every tier to be available. The tiers include global policies, provider-specific policies, agent-level restrictions, group-level restrictions, sandbox policies, and subagent inheritance rules. Each tier can specify an allowlist (only these tools) or a denylist (everything except these tools).
In practice, this means a founder can say: "The support agent can search the knowledge base and draft replies, but cannot execute shell commands or access the file system. The ops agent can run scripts but only in the sandbox session." That level of specificity prevents a misconfigured skill or prompt injection from escalating into a system-level incident.
Hermes Agent: Dangerous Command Detection
Hermes takes a different approach. Instead of restricting which tools are available, it monitors what the agent tries to do and gates dangerous operations. A pattern-matching system detects destructive commands (recursive deletes, permission changes, sudo usage) and triggers an approval callback. In CLI mode, the user gets a real-time prompt with a 45-second timeout. In gateway mode, pre-configured policies handle approval automatically.
Users can respond with "always allow," "never allow," or "allow once" for each command pattern. This builds a learned permission profile over time. Hermes also enforces iteration budgets (default 90 turns per conversation) with warnings at 70 and 90 percent to prevent runaway execution loops.
Founder verdict: OpenClaw's policy tiers are better for team environments where different agents and sessions need different permission sets. Hermes's approval-gate model is better for personal use where you want to stay in the loop on risky operations without pre-configuring every rule.
Sandboxing: Containing the Blast Radius
Even with perfect access controls, agents can make mistakes. Sandboxing limits how far a mistake can spread.
OpenClaw uses session-based sandboxing. The "main" session (your direct interaction) gets full host access by default. Non-main sessions (group chats, channels, automated tasks) can be containerized so that a compromised group conversation cannot access your main workspace or file system. You enable this with a single configuration flag.
Hermes Agent offers six execution backends with varying isolation levels. The standout is its hardened container setup: read-only root filesystem, all Linux capabilities dropped, no privilege escalation allowed, a 256-process PID limit, and full namespace isolation. Persistent data uses mounted volumes rather than a writable root layer. This is closer to production-grade container hardening than most AI tools offer.
For code execution specifically, Hermes runs Python and Node.js scripts in isolated subprocesses communicating through Unix domain sockets. Sandboxed code cannot access delegation or further code execution tools, preventing recursion attacks. A 300-second timeout and 50-tool-call limit cap resource consumption.
Founder verdict: Hermes has the stronger sandboxing story. Its container hardening follows industry best practices (OWASP, CIS benchmarks), and the code execution sandbox is purpose-built for AI agent workloads. OpenClaw's session-based approach is simpler but less granular.
Data Isolation: Keeping Conversations Separate
If your agent handles multiple customers, teams, or projects, data isolation determines whether customer A can ever see customer B's information.
OpenClaw isolates data at multiple levels. Each agent gets its own workspace directory, its own memory database, and its own authentication profiles. Sessions are routed by a composite key that includes the agent ID, the sender identity, and the channel, making cross-session leakage structurally impossible within normal operation. For a business running separate agents for support, sales, and internal ops, this means each agent is a completely independent silo.
Hermes stores session data in local SQLite databases keyed by platform and chat ID. Each message creates a fresh agent instance loaded with only that session's history. The isolation is effective for personal use, but it is designed around one operator with multiple conversations rather than multiple operators sharing infrastructure.
| Isolation Factor | OpenClaw | Hermes Agent | Business Impact |
|---|---|---|---|
| Multi-agent separation | Full workspace, memory, and auth isolation per agent | Single agent with session-level separation | Run support and sales agents without data crossover |
| Session routing | Composite key (agent + sender + channel) | Platform + chat ID + thread ID | Prevents customer A from seeing customer B's conversation |
| Credential isolation | Per-agent auth profiles with OAuth refresh | Shared credential file with secret redaction | One compromised agent does not expose other agents' API keys |
| Memory separation | Per-agent SQLite with vector embeddings | Shared memory with session-scoped retrieval | Agent memories stay contained within their intended scope |
Founder verdict: If you run multiple agents or serve multiple customers from one deployment, OpenClaw's data isolation is built for that. If you are a single founder with one agent, Hermes's session-level separation is sufficient and simpler.
Telemetry and Privacy: What Phones Home
Hermes Agent's strongest security claim is zero telemetry. No usage data, no conversation logs, no analytics leave your machine unless you explicitly configure an external service like Honcho or Browserbase. For founders handling sensitive customer conversations or operating in regulated industries (health, finance, legal), this removes an entire category of compliance risk. You do not need to audit a telemetry pipeline that does not exist.
OpenClaw stores data locally by default and does not send telemetry to Anthropic, OpenAI, or any third party. The privacy posture is strong, but the system does connect to external AI model providers for inference. The practical difference: with Hermes, you can run entirely offline if you use a local model. With OpenClaw, you need at least one model provider connection, but your conversation data and usage patterns stay on your infrastructure.
Secret Management: Keeping API Keys Safe
Both products handle API keys and tokens, but the mechanisms differ. OpenClaw uses a SecretRef system that pulls credentials from environment variables, files, or command output at runtime. You never hardcode a key in a config file. The setup wizard asks whether you want plaintext or reference-based storage, nudging users toward the safer option.
Hermes stores credentials in a dotenv file at ~/.hermes/.env and implements automatic secret redaction in error logs. If the agent encounters an error, any API keys in the log output are masked before being written to disk. Both approaches work, but OpenClaw's SecretRef pattern is closer to infrastructure-grade secret management (similar to how Kubernetes handles secrets).
Security Auditing: Catching Problems Before They Become Breaches
OpenClaw includes a built-in openclaw doctor command that runs security-focused audits. It checks for open DM policies, non-loopback binds without authentication, broken sandbox configurations, expired OAuth tokens, and deprecated security settings. Running this after every configuration change takes 30 seconds and catches the kind of drift that leads to the "21,000 exposed instances" headlines.
Hermes does not have an equivalent one-command audit tool, but it implements runtime safety nets: iteration budgets that prevent runaway execution, automatic budget pressure warnings, and forced termination for stuck processes. These are reactive rather than proactive, but they limit damage from unexpected behavior.
The Security Decision Framework
Security requirements depend on your deployment scenario, not on which product has more features. Here is how to match the product to your situation.
- Multiple team members accessing the agent: OpenClaw. Its role-based access, device pairing, and per-agent isolation are designed for shared environments.
- Single founder or solo operator: Hermes Agent. Its zero-telemetry stance, container hardening, and approval gates are tuned for one person controlling one agent.
- Customer-facing assistant handling sensitive data: OpenClaw. The cascading tool policies, data isolation, and built-in security auditing give you more compliance-ready controls.
- Research or experimentation with untrusted code: Hermes Agent. The hardened container backends with read-only filesystems and dropped capabilities are purpose-built for sandboxed execution.
- Regulated industry (health, finance, legal): Either product can work, but Hermes's zero-telemetry claim is simpler to audit, and OpenClaw's SecretRef system is easier to integrate with existing secret management infrastructure.
The Cost of Getting Security Wrong
A security incident involving an AI agent typically costs a small business $15,000 to $50,000 in direct remediation (forensics, credential rotation, customer notification) plus 2 to 4 weeks of lost founder productivity. The indirect cost is harder to measure: lost customer trust, delayed product launches, and the mental tax of knowing your systems were compromised.
Spending 4 to 8 hours configuring authentication, tool policies, and sandboxing correctly at deployment time is not overhead. It is insurance. Both OpenClaw and Hermes provide the tools. The question is whether you use them. For a broader look at what deployment costs look like beyond security, see our hosting cost breakdown.
Your Next Step
Before you deploy either product, run through a three-question checklist. First: who will access this agent (just you, your team, or your customers)? Second: what data will the agent see (public content, internal docs, or customer PII)? Third: what commands should the agent never run without approval?
If the answers point to a shared, multi-user environment with sensitive data, start with the OpenClaw security setup guide and run openclaw doctor before going live. If the answers point to a single-operator setup where privacy is the top concern, install Hermes Agent and configure a hardened container backend before connecting to any messaging channels.
Related posts
Deploy your AI assistant
Create an autonomous AI assistant in minutes.