The latest articles on DEV Community by Scott Glover (@scottgl9). https://dev.to/scottgl9 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3933963%2F299aab4f-add6-455f-bada-916634c34794.jpeg https://dev.to/scottgl9 en Scott Glover Fri, 15 May 2026 22:35:10 +0000 https://dev.to/scottgl9/i-built-skelm-because-n8n-openclaw-and-hermes-didnt-fit-my-use-case-25ob https://dev.to/scottgl9/i-built-skelm-because-n8n-openclaw-and-hermes-didnt-fit-my-use-case-25ob <p>I needed to run AI agent workflows locally, in TypeScript, with real permission<br> enforcement. I spent time with the obvious options — n8n, OpenClaw, Hermes —<br> and none of them quite fit. So I built <a href="https://skelm.dev" rel="noopener noreferrer">skelm</a>.</p> <p>This post is about what specifically didn't fit, what skelm does differently,<br> and one concrete example of why the difference matters.</p> <h2> What the existing tools get wrong (for my use case) </h2> <h3> n8n </h3> <p>n8n is a genuinely great tool. But it's built around visual flows and a<br> node-graph model. I want to write real <code>.ts</code> modules, use the full TypeScript<br> type system, run <code>vitest</code>, and check my workflows into git like any other<br> code. I don't want a JSON config I can't diff cleanly or a canvas I need<br> a browser to edit.</p> <h3> OpenClaw </h3> <p>OpenClaw is excellent for personal assistant use cases — chat routing,<br> multi-channel, agent conversations. But it's fundamentally a <em>messaging</em><br> framework. I needed <em>pipeline</em> primitives: <code>branch</code>, <code>parallel</code>, <code>forEach</code>,<br> <code>loop</code>, <code>wait</code>. Composable, testable, deterministic. OpenClaw isn't built<br> for that and doesn't pretend to be.</p> <h3> Hermes and most LLM orchestration frameworks </h3> <p>The permission model is advisory. You tell the model what it <em>should</em> do<br> in the system prompt. The model tries to comply. This works until it doesn't<br> — a new tool capability ships, the model decides the task requires it anyway,<br> or a crafted input nudges it past the instruction. Advisory permissions are<br> not a security boundary. They're a politeness request.</p> <h2> What skelm does differently </h2> <h3> 1. Real TypeScript, not a DSL </h3> <p>Workflows are <code>.ts</code> files. No YAML, no JSON config, no visual canvas. The<br> full type system, full test runner, full IDE support:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">default</span> <span class="nf">pipeline</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">triage-incident</span><span class="dl">'</span><span class="p">,</span> <span class="na">input</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">incidentId</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">severity</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">critical</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span><span class="p">])</span> <span class="p">}),</span> <span class="na">steps</span><span class="p">:</span> <span class="p">[</span> <span class="nf">branch</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">severity-gate</span><span class="dl">'</span><span class="p">,</span> <span class="na">on</span><span class="p">:</span> <span class="p">(</span><span class="nx">ctx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">input</span> <span class="k">as</span> <span class="p">{</span> <span class="na">severity</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}).</span><span class="nx">severity</span><span class="p">,</span> <span class="na">cases</span><span class="p">:</span> <span class="p">{</span> <span class="na">critical</span><span class="p">:</span> <span class="nf">parallel</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">triage</span><span class="dl">'</span><span class="p">,</span> <span class="na">steps</span><span class="p">:</span> <span class="p">[</span> <span class="nf">code</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">search-issues</span><span class="dl">'</span><span class="p">,</span> <span class="na">run</span><span class="p">:</span> <span class="nx">searchGitHub</span> <span class="p">}),</span> <span class="nf">code</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">create-channel</span><span class="dl">'</span><span class="p">,</span> <span class="na">run</span><span class="p">:</span> <span class="nx">createSlackChannel</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">}),</span> <span class="na">high</span><span class="p">:</span> <span class="nf">code</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">notify-oncall</span><span class="dl">'</span><span class="p">,</span> <span class="na">run</span><span class="p">:</span> <span class="nx">notifyOncall</span> <span class="p">}),</span> <span class="na">low</span><span class="p">:</span> <span class="nf">code</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">acknowledge</span><span class="dl">'</span><span class="p">,</span> <span class="na">run</span><span class="p">:</span> <span class="nx">sendAck</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">}),</span> <span class="nf">agent</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">root-cause</span><span class="dl">'</span><span class="p">,</span> <span class="na">backend</span><span class="p">:</span> <span class="dl">'</span><span class="s1">codex</span><span class="dl">'</span><span class="p">,</span> <span class="na">prompt</span><span class="p">:</span> <span class="p">(</span><span class="nx">ctx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">buildRcaPrompt</span><span class="p">(</span><span class="nx">ctx</span><span class="p">),</span> <span class="na">permissions</span><span class="p">:</span> <span class="p">{</span> <span class="na">fsRead</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">./runbooks</span><span class="dl">'</span><span class="p">],</span> <span class="na">fsWrite</span><span class="p">:</span> <span class="p">[],</span> <span class="na">networkEgress</span><span class="p">:</span> <span class="dl">'</span><span class="s1">deny</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">})</span> </code></pre> </div> <p>That's a real, runnable workflow. <code>skelm run triage-incident.workflow.ts<br> --input '{"incidentId":"INC-001","severity":"critical"}'</code>. No gateway<br> required for local runs. No browser.</p> <h3> 2. Structural permissions, not advisory ones </h3> <p>This is the core design decision that everything else follows from.</p> <p>In skelm, permissions are enforced at the <em>boundary</em> before the backend is<br> called — not in the context window. Here's what that looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">agent</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">fix-bug</span><span class="dl">'</span><span class="p">,</span> <span class="na">backend</span><span class="p">:</span> <span class="dl">'</span><span class="s1">codex</span><span class="dl">'</span><span class="p">,</span> <span class="na">prompt</span><span class="p">:</span> <span class="p">(</span><span class="nx">ctx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`Fix: </span><span class="p">${(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">input</span> <span class="k">as</span> <span class="p">{</span> <span class="na">test</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}).</span><span class="nx">test</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">permissions</span><span class="p">:</span> <span class="p">{</span> <span class="na">fsRead</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">./src</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./test</span><span class="dl">'</span><span class="p">],</span> <span class="na">fsWrite</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">./src</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// only src — tests and config stay read-only</span> <span class="na">allowedExecutables</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">node</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">npm</span><span class="dl">'</span><span class="p">],</span> <span class="na">networkEgress</span><span class="p">:</span> <span class="dl">'</span><span class="s1">deny</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowedMcpServers</span><span class="p">:</span> <span class="p">[],</span> <span class="na">allowedSkills</span><span class="p">:</span> <span class="p">[],</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </div> <p>These aren't hints. They're enforced at three layers:</p> <p><strong>Pre-run mapper</strong> — before any SDK call, skelm translates the policy into<br> backend-specific options and refuses unsafe combinations. <code>fsWrite: ['*']</code><br> with an approval policy set throws <code>CodexPermissionError</code> immediately.<br> Skelm refuses to silently escalate to <code>danger-full-access</code> sandbox mode.</p> <p><strong>Backend in-process enforcement</strong> — Codex's sandbox, Pi's permission<br> enforcer, and skelm's own <code>@skelm/agent</code> backend all enforce natively<br> in-process. Skelm's job is to ensure the translation from declared<br> permissions to backend options is complete and doesn't widen anything.</p> <p><strong>Gateway egress proxy</strong> — the gateway runs an embedded CONNECT proxy.<br> <code>HTTP_PROXY</code> is merged into subprocess environments so outbound TCP is<br> intercepted. <code>allowHosts</code> is enforced at the TCP level, not in the model's<br> context window.</p> <h3> 3. A concrete example of why this matters </h3> <p>When I wired up the Codex backend I set <code>networkEgress: 'deny'</code> and mapped<br> it to <code>networkAccessEnabled: false</code>. That blocks sandbox-shell network<br> calls — <code>curl</code>, <code>wget</code>, etc.</p> <p>But Codex also has a built-in <code>web_search</code> tool that runs <em>inside the Codex<br> process</em>, not through the sandbox shell. <code>networkAccessEnabled: false</code> does<br> not disable it. My deny was covering one surface and missing another.</p> <p>Here's the fix in the permission mapper:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Codex has two distinct network surfaces:</span> <span class="c1">// 1. networkAccessEnabled — sandbox-shell egress (curl, wget, etc.)</span> <span class="c1">// 2. webSearchMode — model's built-in tool, runs in-process,</span> <span class="c1">// NOT interceptable by the gateway proxy</span> <span class="kd">const</span> <span class="nx">networkAccessEnabled</span> <span class="o">=</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">networkEgress</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">deny</span><span class="dl">'</span> <span class="c1">// web_search enabled ONLY on explicit blanket 'allow'.</span> <span class="c1">// { allowHosts: ['api.example.com'] } also disables it —</span> <span class="c1">// the proxy can enforce allowHosts for shell TCP, but not in-process search.</span> <span class="kd">const</span> <span class="nx">webSearchAllowed</span> <span class="o">=</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">networkEgress</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">allow</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">webSearchEnabled</span> <span class="o">=</span> <span class="nx">webSearchAllowed</span> <span class="kd">const</span> <span class="nx">webSearchMode</span><span class="p">:</span> <span class="nx">WebSearchMode</span> <span class="o">=</span> <span class="nx">webSearchAllowed</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">live</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">disabled</span><span class="dl">'</span> </code></pre> </div> <p>This is exactly the kind of gap advisory permissions can't cover. A system<br> prompt that says "don't access the network" doesn't know <code>web_search</code> exists.</p> <h3> 4. Multi-backend, pluggable, not locked in </h3> <p>I wanted to swap backends without rewriting workflows. skelm supports:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Backend</th> <th>What it is</th> </tr> </thead> <tbody> <tr> <td><code>@skelm/agent</code></td> <td>First-party, any OpenAI-compatible endpoint, in-process enforcement</td> </tr> <tr> <td><code>@skelm/codex</code></td> <td>OpenAI Codex via <code>@openai/codex-sdk</code> — sandbox-aware, MCP, streaming</td> </tr> <tr> <td><code>@skelm/pi</code></td> <td>Pi coding agent</td> </tr> <tr> <td><code>@skelm/opencode</code></td> <td>Opencode coding agent (native + ACP)</td> </tr> <tr> <td><code>@skelm/vercel-ai</code></td> <td>Vercel AI SDK</td> </tr> <tr> <td>Built-in ACP</td> <td>Copilot, Claude Code, Gemini CLI</td> </tr> </tbody> </table></div> <p>The same <code>agent()</code> step works across all of them. Swap <code>backend: 'pi'</code> for<br> <code>backend: 'codex'</code> and the permission model, skill injection, and streaming<br> all carry through.</p> <h3> 5. Human-in-the-loop as a first-class primitive </h3> <p><code>wait()</code> pauses a run until a caller resumes it via HTTP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">wait</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">human-review</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Review this expense and approve or reject it.</span><span class="dl">'</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">decision</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">approve</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">reject</span><span class="dl">'</span><span class="p">]),</span> <span class="na">comments</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">optional</span><span class="p">(),</span> <span class="p">}),</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Resume from anywhere</span> curl <span class="nt">-X</span> POST http://localhost:14738/runs/&lt;runId&gt;/resume <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"output":{"decision":"approve","comments":"Looks good"}}'</span> </code></pre> </div> <p>Not a webhook integration, not a plugin. A first-class step kind.</p> <h3> 6. Tamper-evident audit </h3> <p>Every permission decision, tool call, secret access, and approval is written<br> to a hash-chained audit journal. You can verify the chain hasn't been altered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>skelm audit query <span class="nt">--verify</span> </code></pre> </div> <p>This matters for compliance use cases where you need to prove what the agent<br> was <em>actually</em> permitted to do, not just what it was told.</p> <h2> What skelm is not </h2> <p>It's not a finished product. Pre-v1, APIs unstable, some rough edges. The<br> permission model is solid and the core step primitives work. The ecosystem<br> around it — integrations, docs, tooling — is still growing.</p> <p>It's also not trying to replace n8n for visual workflow automation, or<br> OpenClaw for conversational agents. It occupies a different space: you want<br> to write code, you care about what your agents are actually <em>permitted</em> to<br> do, and you want that enforced structurally.</p> <h2> Getting started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> skelm skelm init my-project <span class="o">&amp;&amp;</span> <span class="nb">cd </span>my-project <span class="o">&amp;&amp;</span> npm <span class="nb">install </span>skelm run workflows/hello.workflow.ts <span class="nt">--input</span> <span class="s1">'{"name":"world"}'</span> </code></pre> </div> <p>Full docs and source: <a href="https://github.com/scottgl9/skelm" rel="noopener noreferrer">github.com/scottgl9/skelm</a></p> <p>If you've hit the same wall with n8n, OpenClaw, Hermes, or any other<br> orchestration framework — I'd genuinely like to hear what the gap was for<br> you. Happy to answer questions about the permission model or any of the<br> backend integrations in the comments.</p> typescript ai security opensource