OpenClaw and Hermes Agent are among the most-discussed open-source AI agent frameworks of 2026. Both have established themselves as serious options for self-hosted agent systems within a short period, both are intensely watched by technical communities, and both bring very different assumptions about how an AI agent should be structured. Those differences are exactly what makes a comparison worthwhile.
This article is deliberately neutral. It does not declare a winner. Instead, it gives decision-makers and experienced engineers the information they need to make a well-grounded choice on their own. We look at the origin story of each project, compare the architectures, walk through the release histories of both frameworks, analyze the security models and the CVEs documented for OpenClaw, document the supply-chain incidents around ClawHub, list opportunities and risks, and close with a comparison table that brings every important dimension into a single view.
For context, we reference existing deep dives on the innfactory.ai blog at the relevant points, in particular the OpenClaw architecture explained, the OpenClaw AI agent security review, and the OpenClaw ecosystem guide covering ClawHub, NemoClaw, and NanoClaw.
OpenClaw, a project with many names
OpenClaw has appeared under several names. The project originally went by Moltbot and was a personal project of Peter Steinberger. When Steinberger moved to OpenAI on 14 February 2026, the project was transferred into a foundation model and renamed to OpenClaw at the same time. The GitHub organization is openclaw, the commercial SaaS frontend lives at openclawai.io.
For the version numbers readers may run into in issue trackers and CVE databases, it is worth knowing that the project existed long before its public launch. The early phase ran as a v0.x series that reached v0.4.2. During that early phase, the critical security weaknesses that were later documented as CVE-2026-25253, CVE-2026-25891, and CVE-2026-26102 were introduced and eventually fixed.
The jumps from v0.x to v3.x are part of the branding story. In November 2025, v3.0 shipped with multi-model support and a workspace system. On 10 January 2026, v3.5 followed with voice integration (ElevenLabs, Edge TTS, Whisper STT) and Playwright-based browser automation. The actual public rollout of the commercial platform at the end of January 2026 marked the point at which OpenClaw entered broader awareness. On 20 February 2026, v4.0 brought a complete architecture rewrite. v4.0 is labelled “The Agent OS” and introduced the gateway daemon, the canvas system, support for more than fifteen messaging platforms, and cron scheduling. Architecturally, OpenClaw was no longer identical to what had been known as Moltbot.
Hermes Agent, a project from a research lab
Hermes Agent is the agent framework of Nous Research, an open-source AI lab that has become well known in the AI community for its Hermes model series. The GitHub repository was created on 22 July 2025 and developed internally for roughly eight months before the first public release tag was set. The public launch happened on 12 March 2026 with version 0.2.0. The license is MIT.
The commit distribution shows a fairly clear core authorship with broad community participation. The lead contributor is teknium1 with 2,549 commits, followed by 0xbyt4 with 180 commits. Beyond that, more than 300 additional people from the community have contributed. The project therefore follows a model that is common in academic open-source environments, namely clear maintainers plus a wide contribution base.
In contrast to OpenClaw, Hermes Agent pursues no commercial SaaS model. There is no official hosting platform, no subscription model, and no marketplace in the style of ClawHub. Instead, Nous Research provides models through the Nous Portal, including MiMo v2 Pro, which is available free of charge within the portal.
Architecture comparison
OpenClaw and Hermes Agent answer the same question, namely how an agent connects to the outside world, in very different ways. OpenClaw bets on a hub-and-spoke model with a central gateway daemon. Hermes Agent bets on a modular approach whose primary surface is a command-line interface and whose messaging integrations are an optional gateway mode.
OpenClaw, hub-and-spoke with a gateway daemon
At the center of OpenClaw sits a long-running daemon, the gateway. It loads all messaging adapters directly into its own process, including WhatsApp via Baileys and Telegram via grammY. Incoming frames are validated against JSON schemas, and the entire communication between clients and the daemon runs through a typed WebSocket API on ws://127.0.0.1:18789. Exactly one gateway runs per host.
WhatsApp / Telegram / Slack / Discord / Signal / iMessage / ...
│
▼
┌───────────────────────────────┐
│ Gateway (Daemon) │
│ (Control Plane) │
│ ws://127.0.0.1:18789 │
└──────────────┬────────────────┘
│
├─ Agent Runtime (RPC)
├─ CLI (openclaw ...)
├─ WebChat UI
├─ macOS App
└─ iOS / Android NodesThe wire protocol knows three frame types. A req frame is a client request to the gateway. A res frame is the corresponding response from the gateway. An event frame is a server-side push message. The first frame after connection setup must always be a connect frame, which carries a token for non-local connections. TypeBox schemas serve as the single source of truth. There are six event types, including agent, chat, presence, health, heartbeat, and cron.
Session management runs by default through a shared DM session per agent (main). For multi-user setups, an opt-in Secure DM Mode isolates DMs per sender. Sessions are persisted as JSONL under ~/.openclaw/agents/<agent-id>/sessions/. Skills are hot-reloadable, and the ClawHub marketplace has been available since v4.1.
OpenClaw supports OpenAI, Anthropic, Google, Ollama, and OpenRouter as model providers, both local and remote.
Hermes Agent, modular and CLI-first
Hermes Agent reverses the relationship. The primary entry point is the command line, not a daemon with built-in messaging adapters. The gateway mode is an optional extension that connects Telegram, Discord, WhatsApp, Slack, Feishu, Lark, and WeCom. Container backends, by contrast, are first-class citizens: Hermes Agent supports Docker, Singularity, Modal, Daytona, and Vercel Sandbox.
The skill system resembles OpenClaw’s but differs in one decisive respect. From v0.12 onward, an autonomous curator background process runs that independently evaluates the skill library, removes skills no longer used, and consolidates redundant skills. The memory system is pluggable and supports Honcho as a provider, among others. Browser automation is also solved differently. Instead of a standard Playwright setup, Hermes Agent ships the Camofox Anti-Detection Browser from v0.7.0, explicitly tuned for sites with bot detection.
In its MCP integration, Hermes Agent takes an architecturally unusual route. The framework can act as an MCP server itself, providing services to other agents. From v0.8.0, MCP OAuth 2.1 is supported. Together, both capabilities allow running multiple Hermes instances or other agent frameworks as a federated mesh.
Release history
The following tables summarize the most important releases of both frameworks, to the extent they are relevant for a security- and architecture-driven evaluation.
OpenClaw releases
| Version | Date | Highlights |
|---|---|---|
| v3.0 | November 2025 | Multi-model, workspace system, Docker |
| v3.5 | 10 January 2026 | Voice (ElevenLabs, Edge TTS), browser automation via Playwright, Whisper STT |
| v4.0 | 20 February 2026 | “The Agent OS”, complete architectural rewrite, gateway daemon, canvas system, more than 15 messaging platforms, cron scheduling |
| v4.1 | 15 March 2026 | ClawHub skills marketplace, Claude Code as ACP harness, skill search across 6 registries, semantic search in the memory system |
| v4.2 | 28 March 2026 | ACP (Agent Communication Protocol) for inter-agent communication, thread-bound sessions, sub-agent spawning, session_status tool |
| 2026.5.x-beta | May 2026 | Codex runtime support, xAI, Tencent Cloud, sanitized diagnostic exports |
Hermes Agent releases
| Version | Date | Highlights |
|---|---|---|
| v0.2.0 | 12 March 2026 | Public launch |
| v0.3.0 to v0.6.0 | 12 to 30 March 2026 | Five releases in 18 days, fast iteration of core functions |
| v0.6.0 | 30 March 2026 | Profiles for isolated agent instances, MCP server mode, Docker containers, fallback provider chains, Feishu, Lark, and WeCom messaging, 95 PRs |
| v0.7.0 | 3 April 2026 | “Resilience Release”, pluggable memory providers, Honcho integration, Camofox Anti-Detection Browser, deep gateway hardening, 168 PRs |
| v0.8.0 | 8 April 2026 | Background-process auto-notifications, MiMo v2 Pro free via Nous Portal, MCP OAuth 2.1, approval buttons, 209 PRs |
| v0.12 (2026.4.30) | 30 April 2026 | “The Curator”, autonomous background system for the skill library, 1,096 commits, 550 merged PRs, 213 contributors for this release alone |
The release cadence of Hermes Agent in its first 50 days after launch is striking. Between 12 March and 30 April 2026, there were six numbered releases. The jump from 95 to 168 to 209 to over 550 merged pull requests per release also indicates very active community participation. OpenClaw shows a different profile over the same period. Its releases are less frequent but contain larger structural architecture changes in each step.
Security models compared
The security models reveal perhaps the clearest difference between the two frameworks. OpenClaw inherited a rather permissive default model in its early phase and evolved reactively after public incidents. Hermes Agent established a security model with seven documented layers as a design principle from the start.
OpenClaw security philosophy
The original OpenClaw security model was strongly skill-centric. Skills loaded through the plugin system could run in a sandbox that, in the early phase, exhibited clear gaps. In a public advisory from 6 February 2026, Microsoft characterized OpenClaw’s default permission model as “overly permissive for enterprise environments”. The same advisory recommended sandboxed environments, network segmentation, and approval workflows for skill installation as a minimum baseline.
Releases v0.3.3, v0.4.1, and v0.4.2 addressed the CVEs described in the following sections. Version 4.0 brought a foundational rework of the architecture. Version 4.1 extended ClawHub with a skill-scanning partnership. The trajectory is therefore reactive but visible.
Hermes Agent security philosophy
Hermes Agent differs fundamentally because the security layers are part of the initially documented architecture. Specifically, there are seven layers, each addressing a clearly bounded threat vector.
The first layer is user authorization at the gateway. The order of checks runs through per-platform allow-all flag, DM-pairing approved list, platform-specific allowlists, global allowlist, global allow-all, and ends with a deny by default. The DM-pairing system follows OWASP recommendations and NIST SP 800-63-4. It uses an eight-character code from a 32-character unambiguous alphabet without 0, O, 1, and I, generated via secrets.choice(). The code TTL is one hour, the rate limit is one request per user per ten minutes. Up to three pending codes per platform are allowed, and after five failed approvals the user is locked out for one hour. Pairing files are stored with chmod 0600, and codes never appear in stdout.
The second layer is dangerous command approval. Hermes Agent checks every command execution against a curated list of dangerous patterns. Three approval modes are configurable. In manual mode (the default) every execution is confirmed manually. In smart mode, an auxiliary LLM evaluates risk and decides whether to auto-approve, auto-deny, or prompt the user. In off mode, all checks are disabled, which is functionally equivalent to YOLO mode. YOLO mode itself can be activated via the flag --yolo, the slash command /yolo, or the environment variable HERMES_YOLO_MODE=1. On timeout, fail-closed applies.
Independent of the approval mode, a hardline blocklist exists that cannot be bypassed. It triggers before any other approval layer and knows no override flag. The following table lists the most important entries.
| Pattern | Rationale |
|---|---|
rm -rf / and variants | Deletes the root filesystem |
rm -rf --no-preserve-root / | Explicit root variant |
| `:(){ : | :& };:` |
mkfs.* on a mounted root device | Formats a running system |
dd if=/dev/zero of=/dev/sd* | Overwrites physical disks |
Piping untrusted URLs to sh at root level | Remote code execution vector |
The third layer is container isolation. Hermes Agent supports Docker with hardened security flags, without privileged mode and without sensitive mounts by default. In addition, Singularity is supported for HPC environments, Modal for serverless execution, and Daytona and Vercel Sandbox as further options. Within a container, dangerous command checks are automatically skipped because the container itself represents the security boundary.
The fourth layer is MCP credential filtering. MCP subprocesses receive only the environment variables explicitly approved for them. Credential redaction is implemented, SSRF protection is in place, and a Tirith pre-exec security scan runs over the MCP configuration before each execution.
The fifth layer is context file scanning. Project files are checked for prompt-injection patterns before processing. This is a direct response to the class of attack documented in the OpenClaw ecosystem as CVE-2026-35650.
The sixth layer is cross-session isolation. Sessions cannot access data or state from other sessions. Cron-job storage paths are hardened against path-traversal attacks, the same class of attack that surfaced in the OpenClaw ecosystem as CVE-2026-25253.
The seventh layer is input sanitization. Working-directory parameters in terminal tool backends are validated against allowlists. Shell injection is prevented at the infrastructure level.
In addition, MCP OAuth 2.1 has been implemented since v0.8.0. It architecturally solves exactly the problem that became known in the OpenClaw ecosystem as CVE-2026-25891, namely empty authorization headers accepted as valid.
CVE list for OpenClaw
OpenClaw accumulated multiple CVEs in its early phase, each addressing a distinct attack vector. The overview below follows the publicly documented entries as of May 2026.
CVE-2026-25253, skill sandbox escape
This vulnerability is rated critical with CVSS 9.1. Affected versions are v0.1.0 through v0.3.2, and it was fixed in v0.3.3. Disclosed on 8 February 2026. The cause is a path-traversal bug in the skill loader. Skills could declare paths such as ./data/../../../.ssh/id_rsa. The sandbox system evaluated the path as being “within the skill directory” before the traversal sequence was resolved. The result was read access to arbitrary files on the host system, including SSH keys, AWS credentials, OpenClaw’s own ~/.openclaw/identity.json, and browser credential stores. This vulnerability was actively exploited as part of the ClawHavoc campaign. At least 47 malicious skills used the bug.
CVE-2026-25891, MCP server authentication bypass
This vulnerability is rated high with CVSS 8.4. Affected versions are v0.2.0 through v0.4.1, and it was fixed in v0.4.2. Disclosed on 19 February 2026. The cause is that MCP servers accepted empty Authorization headers as valid. The check verified only the presence of the header, not its content. Any local process could therefore connect to arbitrary MCP servers without authentication. This vulnerability was used in the MCP proxy campaign to mirror tool invocations to attacker-controlled servers.
CVE-2026-26102, identity file injection
This vulnerability is rated high with CVSS 7.8. Affected versions are v0.1.0 through v0.4.0, and it was fixed in v0.4.1. Disclosed on 14 February 2026. The cause is that skills could overwrite the central identity file ~/.openclaw/identity.json through the configuration API without triggering a user notification or a permission check. The result was a silent privilege escalation, persistence across sessions, and the ability to bend API routing configurations. Twelve variants in ClawHavoc used this gap to duplicate every LLM API call to an external server.
CVE-2026-24763 and CVE-2026-25157, command injection
Both CVEs are rated high with CVSS 7.5. They are two separate command-injection vulnerabilities in the gateway input handling. Shell metacharacters in unsanitized input fields allowed arbitrary command execution in both cases. Both vulnerabilities were fixed in subsequent gateway releases.
CVE-2026-35650, prompt injection and agent config hijack
This vulnerability shows that the attack surface does not sit only at the infrastructure level, the LLM behavior itself can become a vulnerability. Prompt-injected model output could overwrite agent configurations, enabling a policy bypass and a host override. In the Hermes Agent security model, this class of attack is addressed by the context file scanning layer.
Supply-chain incidents at OpenClaw
In 2026, OpenClaw was the target of two documented supply-chain campaigns, each leveraging different attack techniques. Both run through the ClawHub marketplace and are therefore typical examples of risks that emerge in connection with plugin ecosystems.
ClawHavoc
First observed on 3 February 2026. According to publicly available sources, the status in mid-March 2026 was ongoing. Within the campaign, 1,184 malicious packages were identified on ClawHub. 23 legitimate publisher accounts were compromised, infecting auto-update users without their own action. Three distinct threat-actor clusters were identified. The total estimate of installations before package removal lies between 15,000 and 25,000.
The attack techniques included typosquatting, namely package names such as openclw-gmail instead of openclaw-gmail, dependency confusion via wrongly declared prerequisites, legitimate-looking skills with hidden payloads, and publisher-account takeovers. On the payload side, functions ranged from credential theft (covering SSH keys, AWS credentials, API keys, and browser credential stores) through AMOS Stealer as a macOS-specific component and ClickFix social engineering to cryptominers (XMRig), API-key exfiltration via MCP proxy, and identity-file modification for persistence.
MCP proxy campaign
First observed on 15 February 2026. The campaign is more sophisticated than ClawHavoc because it does not rely on obviously malicious skills but quietly reroutes existing infrastructure. The attack proceeds in three stages. First, a malicious skill installs a legitimate-looking MCP server. Then this MCP server registers itself as a proxy for existing MCP servers, exploiting CVE-2026-25891. Finally, all tool invocations are logged and exfiltrated to an attacker server. From the user’s perspective, the system continues to work unremarkably.
Enterprise advisories
In February 2026, several major security vendors published their own advisories on OpenClaw. Microsoft on 6 February 2026 rated the default permission model as too permissive for enterprise environments. CrowdStrike on 10 February 2026 reported a 300 percent increase in attacks on AI developer tools in the first quarter of 2026, with OpenClaw being the most frequently attacked framework. Palo Alto Networks Unit 42 on 12 February 2026 published the Lethal Trifecta framework, describing the combination of read access, network access, and ability to act as a maximum risk profile and requiring the structural separation of at least one of these factors as a minimum standard. Cisco Talos on 14 February 2026 published a C2 infrastructure map, YARA rules for ClawHavoc, and a freely available ClawHub Skill Scanner. Meta on 18 February 2026 highlighted the risk of agent-to-agent propagation in linked workflows. The Dutch Data Protection Authority became the first European supervisor to issue an official advisory regarding OpenClaw installations.
These advisories should not be read as a blanket negative judgement. They show, rather, that the framework is taken seriously by professional security organizations. Comparable advisories for Hermes Agent do not exist as of May 2026, which can be explained both by the framework’s much shorter public availability and by its more conservatively designed security model.
Opportunities of both frameworks
Both frameworks have independent strengths from an enterprise perspective, which carry different weight depending on the requirement profile.
OpenClaw brings the clearly larger ecosystem. The ClawHub marketplace covers a wide skill range, and through the commercial SaaS variant at openclawai.io, an entry path exists for teams that do not want to self-host. The messaging-platform support is unusually broad and includes, besides WhatsApp, Telegram, and Slack, also Discord, Signal, iMessage, Google Chat, Microsoft Teams, Matrix, BlueBubbles, Zalo, and WebChat. The canvas UI system offers visualization and interaction capabilities that are rare in the agent-framework space. Through the Agent Communication Protocol since v4.2, OpenClaw provides its own standard for inter-agent communication, supporting sub-agent spawning and thread-bound sessions. The release pace, combined with the foundation structure, suggests a stable trajectory going forward.
Hermes Agent scores primarily with its proactively designed security model. The seven security layers address exactly the class of attacks that emerged in the OpenClaw ecosystem during its early phase, without having to be retrofitted reactively. The MIT license without commercial ties and the absence of a parallel SaaS variant make the framework attractive to organizations strictly committed to self-hosted solutions. The release cadence is high, the community is active, and with Nous Research, an organization well established in research is behind the project. The Curator as an autonomous skill-library manager is a feature for which OpenClaw has no direct equivalent. MCP OAuth 2.1 is a new standard that is likely to gain considerable importance for federated agent setups.
Risks of both frameworks
Both frameworks also carry risks that must be named honestly.
For OpenClaw, the CVEs that emerged during the early phase and the documented supply-chain campaigns stand out. The ClawHub ecosystem remains large and therefore an attractive target for attackers. Even after the security patches, the originally permissive default permission model remains an element that must be carefully configured in regulated industries. With the move of the originating developer Peter Steinberger to OpenAI, a dependency on the OpenAI ecosystem also emerged that should be considered strategically. The foundation structure cushions this but does not eliminate it. On top of this come the ongoing enterprise advisories, which compliance teams must account for in approval processes.
For Hermes Agent, the risks are different. With a public launch in March 2026, the framework is significantly younger than OpenClaw. The ecosystem is smaller, and there is neither a commercial support offering nor an official hosting variant. The YOLO mode, which disables all approval prompts, is a potential risk in CI/CD environments or automated setups if activated uncritically. The hardline blocklist softens this but does not eliminate it. Even though no CVEs are publicly documented through May 2026, that says nothing about the existence of vulnerabilities, only about their public visibility. The fact that Hermes Agent is supported by a smaller maintainer base can be read as a strength (clear responsibility) or as a risk (bus factor), depending on perspective.
Large comparison table
The following table summarizes every essential comparison dimension.
| Dimension | OpenClaw | Hermes Agent |
|---|---|---|
| Origin | Moltbot by Peter Steinberger, foundation since 14 February 2026 | Nous Research, repo since 22 July 2025, launch v0.2.0 on 12 March 2026 |
| License | MIT, commercial SaaS at openclawai.io | MIT, no commercial SaaS |
| Architecture | Hub-and-spoke with gateway daemon, built-in messaging adapters | Modular, CLI-first, optional gateway mode, container backends as default |
| Deployment | Self-hosted plus SaaS, ClawHub as package registry | Self-hosted only, Nous Portal provides models |
| Messaging platforms | More than 15 platforms, including WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Teams, Matrix, BlueBubbles, Zalo, Google Chat, WebChat | Telegram, Discord, WhatsApp, Slack, Feishu, Lark, WeCom from v0.6.0 |
| Multi-agent | ACP from v4.2, thread-bound sessions, sub-agent spawning | Profiles from v0.6.0 for isolated agent instances |
| Skill system | ClawHub marketplace from v4.1, hot-reload, 6 registries | Skill library, autonomous Curator from v0.12 |
| Memory and context | MEMORY.md, semantic search from v4.1 | Pluggable memory providers, Honcho integration from v0.7.0 |
| Browser automation | Playwright from v3.5 | Camofox Anti-Detection Browser from v0.7.0 |
| MCP integration | MCP support, marketplace integration from v4.1 | MCP server mode, MCP OAuth 2.1 from v0.8.0, credential filtering, SSRF protection, Tirith pre-exec scan |
| Model providers | OpenAI, Anthropic, Google, Ollama, OpenRouter | Provider-agnostic with fallback provider chains, MiMo v2 Pro via Nous Portal |
| Security model | Reactive, application-level checks, ClawHub signatures, VirusTotal scanning | Proactive, seven documented layers, hardline blocklist, container-first |
| CVEs as of May 2026 | CVE-2026-25253 (CVSS 9.1), CVE-2026-25891 (8.4), CVE-2026-26102 (7.8), CVE-2026-24763 (7.5), CVE-2026-25157 (7.5), CVE-2026-35650 | None publicly documented |
| Supply-chain incidents | ClawHavoc, MCP proxy campaign | None documented |
| Enterprise advisories | Microsoft, CrowdStrike, Palo Alto Unit 42, Cisco Talos, Meta, Dutch DPA | None known |
| Lead contributors | Peter Steinberger, now OpenAI, plus foundation maintainers | teknium1 (2,549 commits), 0xbyt4 (180 commits), 300+ community |
| Release cadence | Less frequent, larger structural architecture steps | Six numbered releases in 50 days after launch |
| Self-improvement | Not in the framework itself | Curator process from v0.12 |
Conclusion
Anyone who has read this comparison to this point will have recognized that the question “which one is better?” falls short. The two projects answer partly the same and partly different requirements, and they do so in structurally distinct ways.
OpenClaw is the considerably broader and older project, with a richer ecosystem, more messaging platforms, a commercial SaaS path, and an active community around the ClawHub marketplace. It went through a difficult security phase in its early days, documented in the CVEs and supply-chain campaigns described above. The foundation structure and the architectural rewrite with v4.0 show that the project is visibly learning from that phase.
Hermes Agent is the younger but security-wise more conservatively designed project. It brings a documented seven-layer security model that architecturally addresses many of the vulnerability classes from the OpenClaw landscape. It is purely self-hosted, MIT-licensed, and community-driven. The ecosystem is smaller, but the design decisions feel more straightforward.
A sensible decision aid orients itself along three questions. First, what messaging and channel spectrum does the setup require? OpenClaw offers significantly more here. Second, how high is the organization’s risk tolerance toward plugin ecosystems with documented supply-chain incidents, and how much effort can flow into a hardening strategy? With high risk tolerance or available hardening budget, OpenClaw remains a valid option. With lower risk tolerance or strict compliance requirements, the picture shifts toward Hermes Agent. Third, how important is a commercial source with a SaaS option? OpenClaw provides this, Hermes Agent does not.
A premature commitment is misplaced in either direction. Both frameworks are legitimate options in 2026, both have strengths, both have risks, and both evolve quickly. For a well-founded decision, it pays to consult the current release notes and the security documentation, not least because the findings outlined here may shift with every release.