OpenClaw vs. Hermes vs. Claude Code: Security Models, Hidden Risks, and How to Monitor All Three in June 2026

Three AI agent frameworks are popular within the independent builder ecosystem: OpenClaw, Hermes, and Claude Code. OpenClaw and Hermes are open-source; Claude Code is a proprietary CLI tool maintained by Anthropic. They overlap enough in surface-level capability that choosing between them often comes down to security tolerance, workflow preferences, and how much visibility you want into what the agent is actually doing. Those three dimensions diverge sharply.

How these three agents actually work

Before comparing security models, it helps to understand what each framework is doing when it runs.

A quick definition first: An AI agent is different from a regular chatbot. A chatbot answers questions. An agent takes actions: reading and writing files on your computer, browsing the web, calling external APIs, installing software, writing and running code. The security differences between OpenClaw, Hermes, and Claude Code come down to how much control each framework asserts over those actions, and how visible those actions are to you.

Claude Code is a command-line tool maintained by Anthropic (it is also available via the Web). You install it, sign into Claude.ai, and it runs as an interactive session in your terminal or browser. It operates on the files and directories you point it at, and it requires you to be actively present — there's no background daemon running while you're away. An IDE extension for VS Code brings the same agent into your code editor, but the underlying traffic model is identical: every interaction routes through Anthropic's servers.

Hermes (NousResearch) is a self-hosted autonomous agent — meaning you run the server on your own machine, and you choose which AI model provider to connect to. You could use OpenAI, Anthropic, a local model running on your hardware, or any provider with an OpenAI-compatible API. Hermes manages its own "skills" as structured memory, learning new capabilities over time. As of version 0.14.0 (released May 16, 2026), Hermes runs natively on Windows using the standard terminal (cmd.exe and PowerShell), without requiring the Linux compatibility layer that was previously needed.

OpenClaw (launched as Clawdbot in November 2025, renamed January 29, 2026) is a community-driven agentic system where capabilities are defined as "skills" — Markdown files with embedded scripts. When you give OpenClaw a task, it finds the relevant skill and runs the associated script with your user permissions: the same level of access you'd have yourself if you ran that script directly. Updates are triggered manually and OpenClaw can run tools inside sandboxes, which is optional and controlled by configuration settings.

OpenClaw's security record

OpenClaw grew to over 346,000 GitHub stars by early February 2026, faster than any open-source project in history. That growth may have created enormous pressure to ship features, but security tooling and infrastructure lagged behind its growth.

OpenClaw's architecture was an example of what security researchers call the "lethal trifecta": access to private data, ability to communicate externally and exposure to untrusted content (via the Web). OpenClaw agents have simultaneous access to private data on your filesystem, consumes external web content without filtering, and executes code with your full user permissions. That combination means a malicious web page, a compromised skill package, or injected content in the agent's context can result in the agent taking actions you never requested.

CVE-2026-25253: the critical vulnerability

On February 3, 2026, security researchers disclosed CVE-2026-25253, a critical remote code execution vulnerability in OpenClaw versions through 3.1.2. The CVSS score was 8.8 out of 10.

To understand why this vulnerability was particularly serious, here's what it did in plain terms:

OpenClaw includes a web-based control interface that accepts a URL parameter specifying where it should connect. That parameter was never validated. If an attacker could get you to visit a malicious web page while OpenClaw was running, that page could tell OpenClaw's control interface to connect to the attacker's server instead, leaking your authentication token in the process.

With that token, the attacker could then send commands directly to your local OpenClaw instance: disable confirmation prompts, escape any sandboxing, and run arbitrary commands on your machine. The entire attack chain could be triggered by nothing more than visiting a web page.

Beyond this single CVE, researchers tracked 138 vulnerabilities in OpenClaw over a 63-day window in early 2026, roughly 2.2 new CVEs per day. A separate supply chain attack called ClawHavoc seeded OpenClaw's skill marketplace (ClawHub) with over 1,184 malicious skills — approximately 20% of the entire marketplace — designed to steal credentials. A prompt injection technique called ClawJacked allowed hidden instructions embedded in web pages to redirect OpenClaw's actions and exfiltrate data from connected accounts.

Anthropic access and credential storage

An underlying reason these attacks were so damaging: OpenClaw stores every API credential in plaintext at ~/.openclaw/config.json. Any process running as your user can read this file. When the attacks above succeeded, they had immediate access to OpenAI keys, Anthropic keys, Google OAuth tokens, and any other credentials you'd connected.

On April 4, 2026, Anthropic revoked API access for OpenClaw instances without verified billing accounts, affecting over 135,000 publicly exposed deployments that security researchers had identified. (That figure represents OpenClaw instances found on publicly accessible internet addresses — the total number of users affected was substantially larger.) Users migrated to alternative providers, including OpenAI afterward.

Default security posture at install:

The security concern is that many who install OpenClaw for the first time may run their first task without changing the default configuration, which may expose them to risk.

Is OpenClaw safe to use?

It can be made safer, but the hardening required is significant and non-trivial. At a minimum: change network binding to loopback only, move credentials to SecretRefs rather than the plaintext config file, and run the agent inside a Docker container or dedicated virtual machine. Without those controls on a machine with production credentials, the risk is concrete and well-documented. For security-conscious builders or users who need to deploy quickly, sufficiently hardening OpenClaw may take more time and effort than using Hermes or Claude Code.

Hermes: stronger defaults, significant new capabilities

Hermes launched in February 2026 and reached 140,000 GitHub stars by May — a slower rise than OpenClaw but from a project with a documented, multi-layer security architecture from the start.

Hermes's security model has seven layers: user authorization (allowlists and DM pairing controlling who can talk to the agent); human-in-the-loop approval for dangerous or destructive commands; optional container isolation via Docker, Singularity, or Modal with hardened settings; MCP credential filtering that isolates environment variables for MCP subprocesses; context file scanning for prompt injection in project files; cross-session isolation so sessions cannot access each other's data or state; and input sanitization that validates working directory parameters against an allowlist to prevent shell injection.

Skills in Hermes are Markdown files loaded from configured local or external directories. There is no built-in isolation between local and external skill sources — if an external directory is writable by the Hermes process, the agent can modify files in it. The security boundary is filesystem permissions, not the framework itself.

NVIDIA has built Hermes into its NemoClaw reference stack, which runs agents inside Docker sandboxes on RTX workstations and DGX Spark hardware. This is a meaningful step up from running Hermes directly on your host machine, though it requires separate configuration.

Version 0.14.0: what actually changed

The v0.14.0 release on May 16, 2026, added native Windows terminal support — Hermes now runs directly in cmd.exe and PowerShell without requiring WSL (the Windows Subsystem for Linux, a compatibility layer that was previously needed). This was a practical barrier for many Windows-based developers and removing it meaningfully expanded Hermes's accessible user base.

The same release added hermes proxy: an OpenAI-compatible local proxy that lets other tools route their LLM calls through a Hermes subscription without managing credentials directly. Codex, Aider, or Claude Code can point at the local proxy endpoint, and Hermes attaches the real API key on the way out.

Version 0.14.0 also added computer_use support with non-Anthropic models via cua-driver (macOS only). The agent can take screenshots, click, drag, scroll, type, and interact with desktop applications through an accessibility and vision driver — without stealing the user's cursor or keyboard focus, so your machine remains usable while the agent works. Computer use represents a significant jump in capability and attack surface regardless of that distinction: an agent that can interact with desktop applications, navigate file dialogs, or submit forms is taking actions that are much harder to audit than shell commands.

Hermes and the visibility question

One of the practical security questions with Hermes is about observing what the agent is doing and controlling actions reliably. Hermes is a more autonomous agent than Claude Code. It can queue and execute multi-step tasks without per-step approval.

This matters especially with computer_use enabled (macOS only). The agent operates through an accessibility driver rather than taking over your cursor, so you can still use your machine — but it can still click, type, navigate file dialogs, and submit forms in the background. Those actions could leave less of a trace than shell commands.

CVE-2026-7396 path traversal in the WeChat messaging adapter shows the framework isn't immune to implementation-level vulnerabilities. It's in a specific integration, not core Hermes, but a large community plugin ecosystem means the attack surface grows with each new adapter.

Default security posture at install:

Hermes has more documented security infrastructure than OpenClaw. It requires human approval for dangerous commands, and scans context files for prompt injection. The framework doesn't enforce a task refusal policy — that depends on your model provider — and container isolation requires explicit configuration before it's active.

Claude Code's security model

Claude Code operates differently from both OpenClaw and Hermes at the infrastructure level.

There's no self-hosted component and no local server. Every API call goes to Anthropic's servers. Billing and rate limits are managed through Claude.ai, which means Anthropic can enforce usage policies and apply content filtering at the model layer. The April 2026 revocation of API access from unverified OpenClaw instances is a direct example of this enforcement capability.

The practical tradeoff: you have less control. You cannot swap in a local model, route traffic through a local inference server, or run offline. You're subject to Anthropic's rate limits and pricing. For teams that want an agent that works without a hardening process, that's a reasonable exchange.

From a security hygiene standpoint, Claude Code is the lowest-friction option for individual developers. Credential storage varies by platform: on macOS, OAuth tokens go to the system Keychain; on Linux and Windows/WSL, they're stored in ~/.claude/.credentials.json with 600 permissions, which blocks other users but not other processes running as you. It runs as an interactive session that requires active invocation, not a persistent background daemon.

The security gaps that remain are behavioral. Claude Code's filesystem access scope is not restricted by default — the agent can read and write wherever you point it, and on a machine with broad permissions that can include the full filesystem. The agent can also write code, make API calls, and invoke whatever tools you configure. Claude Code can be influenced by prompt injection — hidden instructions embedded in files or web pages it reads that redirect its behavior. That risk applies to all three frameworks and requires content scanning to detect, since it's a property of the model's responses rather than the framework's infrastructure.

Default security posture at install:

Security model comparison

What monitoring looks like across all three

The security defaults above explain what each framework does when installed fresh. What they don't cover is ongoing visibility — how you know what the agent is doing during and after a session, especially when it's running unattended.

All three frameworks produce some form of activity record. The differences are in what each captures, how it's formatted, and how much work is required to get from raw logs to a useful answer.

Claude Code keeps session history accessible through the Claude.ai dashboard. When you're in the terminal with the agent, the output is visible directly. Token costs and full request/response detail require pulling from the dashboard, which is per-session rather than aggregated.

Hermes logs LLM calls, gateway traffic, token spending, and errors to session log files. Running Hermes in a visible terminal gives you live output. The computer_use capability in v0.14.0 introduces a category of action — mouse clicks, form submissions, browser navigation — that can appear in session logs. Running Hermes headlessly or in a background terminal means relying on log files rather than live observation.

OpenClaw supports OpenTelemetry-based logging by default. That logging captures the framework's activity, but OpenTelemetry output requires a configured collector to be useful — the raw telemetry data isn't a readable activity log in the same way session logs are.

The practical difference across the three isn't presence or absence of logs — it's how much work it takes to aggregate them and how actionable the result is. Three frameworks mean three different log formats, three different storage locations, and three different levels of detail. When something unusual happens, finding the answer means knowing where each framework keeps its records and how to read them.

The common denominator: every LLM API call passes through the network stack, regardless of how the agent is launched. That's where proxy-based monitoring operates.

How proxy-based monitoring fills the gap

A local proxy sits between the agent and the model provider. Every API call, the prompts sent to the model, the responses that come back, the tool calls the agent decides to make, flows through the proxy. This is different from framework-level logging: the proxy captures the actual API traffic directly, in a consistent format, regardless of which framework is running.

AgentGuard360 implements this as a service. Setting it up for any of the three frameworks requires pointing the agent's outbound API calls at the proxy instead of directly at the model provider. This is a standard configuration option in all three frameworks:

# For agents routing through OpenAI-compatible endpoints (Hermes, OpenClaw)
export OPENAI_BASE_URL=http://localhost:7402/openai/v1

# For agents routing through Anthropic (Claude Code, OpenClaw with Anthropic)
export ANTHROPIC_BASE_URL=http://localhost:7402/anthropic

Because Hermes accepts any OpenAI-compatible base URL as its model provider, adding the proxy endpoint to Hermes's provider config routes all LLM traffic through the proxy. This works whether Hermes is running in a terminal, running headlessly via script, or running in the background while you work on something else.

The AgengtGuard360 proxy allows for privacy-protecting content scanning (no content is sent off-device by default, only content 'DNA'). The proxy is on advisory mode by default: it observes and logs, but it doesn't block calls unless you explicitly configure it to block potentially harmful content. Its default posture is observability-first.

What the proxy captures

When any of these agents routes through the AgentGuard360 proxy, you get:

• Every LLM call with timestamps, model IDs, and token counts (accessible via activity logs)
• The full request (what was sent to the model) and response (what came back) - accessible via activity logs
• Token-level cost tracking based on API response data
• Content scanning for potentially harmful content, sensitive information in context
• Supply chain enforcement: the proxy blocks install requests for packages flagged in its threat list, adding a blocking layer for potentially harmful applications
• MCP tool poisoning detection: for agents using MCP (Model Context Protocol) servers, the proxy inspects the tool and resource descriptions that servers advertise before they reach the model

PTI: security tools without reconfiguring the agent

One practical issue with adding security tooling to agents is that the standard method — MCP servers — requires editing config files and can sometimes be fragile (disconnects are sometimes common).

AgentGuard360's proxy implements PTI (Proxy Tool Injection), which makes tools available to the agent directly. The agent sees operations and security tools as available without any change to its own configuration.

This matters for the Windows terminal setup: add the proxy endpoint to Hermes's provider config once, and every subsequent session — including headless runs — captures traffic through the proxy with security tools available, without touching anything else.

Choosing between the three frameworks

Use Claude Code if: You want the lowest setup overhead and are comfortable with Anthropic-managed infrastructure. It's well-suited for individual developers and small teams working in terminal or IDE environments who don't need to run a local model or route through a self-hosted inference server.

Use Hermes if: You need self-hosted model routing, are working with NVIDIA hardware, want to run local models without external API costs, or need the Windows-native terminal experience added in v0.14.0. Plan to configure sandboxing (Docker or OpenShell) before running in any environment with production credentials, and set up proxy monitoring before enabling computer_use.

Use OpenClaw if: You specifically need its skill ecosystem and are willing to do significant hardening work before deploying. Anthropic API access requires a verified billing account since April 2026.

For any of the three, running agents against real infrastructure or real data without a proxy monitoring layer means relying entirely on framework-level logs.

Setup and monitoring comparison