So here's the thing that's been bugging me about AI agents.
They're getting really good at doing stuff on your computer. Running terminal commands, editing files, browsing the web, calling APIs. And every week there's a new framework that gives them even more access.
But nobody's really solved the "what if it does something catastrophic" problem. Most agent frameworks deal with this through prompt-level guardrails or application-level allowlists. Which... fine, but those are all software. The agent itself can work around software constraints. A bug in the framework can bypass them. It's security theater, honestly.
I kept thinking — there has to be a way to give an agent real power while making it genuinely impossible for it to do certain things. Not "we told it not to" impossible. Like, the kernel won't let it impossible.
Turns out there is.
two projects that fit together perfectly
NousResearch released Hermes Agent — it's basically a fully loaded autonomous agent. 40+ tools, persistent memory that carries across sessions, self-improving skills, messaging gateways for Telegram/Discord/Slack/Signal/WhatsApp/Email. It's a lot.
And NVIDIA released OpenShell — a sandbox runtime that uses actual kernel-level enforcement. Landlock LSM for filesystem, Seccomp BPF for syscalls, OPA for network policies. When OpenShell says "you can't write outside these three directories," it means the kernel will reject the syscall. There's no clever prompt injection or code exploit that gets around that.
I spent a while getting these two to play nice together. The result is HermesClaw.
what the security actually looks like
I'm not going to pretend this is some novel architecture. It's literally just "put the smart thing inside the secure thing." But the details matter.
The filesystem is locked down via Landlock — the agent can only write to ~/.hermes/, /sandbox/, and /tmp/. Everything else is read-only or invisible. Network goes through an OPA policy engine with an HTTP CONNECT proxy, so the agent can only reach hosts you've explicitly approved. And Seccomp BPF blocks the scary syscalls — ptrace, mount, kexec, and about a hundred others.
There's also a privacy router sitting between the agent and the inference backend that strips credentials before they reach the model. That one was NVIDIA's idea and it's clever.
The part I'm most proud of is the hot-swappable presets. You can go from "this agent can only do local inference" to "this agent can message me on Telegram and search the web" with one command, no restart:
bashhermesclaw policy-set gateway
Three presets: strict (inference only), gateway (adds messaging), permissive (adds web + github).
the persistent memory thing is underrated
Hermes Agent stores context in MEMORY.md and USER.md files that survive restarts. So your agent actually learns your preferences over time. It remembers what you asked about last week. The filesystem policy is set up to let the agent read/write these files while blocking everything else.
I've been running this for a while now and the difference between a memoryless agent and one that actually knows who you are is... significant.
getting it running
Docker path works on any machine, no NVIDIA hardware needed:
bashgit clone https://github.com/TheAiSingularity/hermesclaw
cd hermesclaw
cp .env.example .env
./scripts/setup.sh
docker compose up
If you have NVIDIA hardware and want the full kernel enforcement, there's an OpenShell-native setup path in the README.
how it compares to NemoClaw
NVIDIA has their own official agent+sandbox project called NemoClaw. It's good. But HermesClaw does a few things differently — persistent memory across sessions (NemoClaw doesn't have this), self-improving skills via DSPy/GEPA, full local inference with llama.cpp including macOS support, and six messaging gateways vs NemoClaw's more limited set.
NemoClaw wins on multi-cloud inference support and obviously has NVIDIA's official backing. Different tools for different use cases.
stuff I'm actually using it for
A Telegram bot on my home server. I text my agent from my phone, it does things, it remembers context from last time.
A research assistant that knows what papers I care about and sends weekly digests.
A database anomaly detector that pings me on Discord when something looks off.
There are more use case guides in the docs/ folder if you're curious.
it's early and I could use help
This is at v0.2.0. It works, I use it daily, but there's a lot of room to improve. I especially want:
People with different NVIDIA hardware to run it and tell me what breaks
New policy presets for specific use cases (healthcare, finance, etc.)
More gateway integrations
People who are better at docs than me
Repo is here: github.com/TheAiSingularity/hermesclaw
If you try it, open an issue and tell me how it went. And yeah, a star helps the project show up when people search for this kind of thing.
MIT licensed. This is a community project — not affiliated with NVIDIA or NousResearch.
Top comments (0)