Remote OpenClaw Blog
Hermes Agent Security: 7 Things to Lock Down Before You Connect Real Accounts
8 min read ·
Hermes Agent security rests on one assumption: sooner or later your agent will read something malicious, so the damage is decided by what you gave it access to beforehand. Before connecting email, GitHub, or anything with a credit card behind it, lock down seven things: provider spend limits, prompt injection defenses, least-privilege tool access, dedicated accounts for the agent, named API keys, secrets stored via hermes config set instead of chat, and a firewalled VPS you reach over Tailscale. This is the same disclosure-first checklist popularized in Tech with Tim's Hermes course, adapted for a self-hosted deployment in July 2026.
Step 0: Isolate the Agent on Its Own VPS
An isolated VPS beats your laptop for one reason: blast radius. On your personal machine, a bad tool call can touch your browser sessions, SSH keys, password manager exports, and every file you own; on a dedicated server, the worst case is bounded to one disposable box you can snapshot, wipe, and rebuild in minutes.
Isolation is also the cheapest control on this list. The one-click Hermes Agent template on Hostinger (affiliate link, up to 70% off in the summer sale, KVM 2 at $8.79/mo) gives you a clean Docker deployment in about a minute, or bring any plain VPS and follow our self-hosted Hermes Agent guide. Everything below assumes this baseline.
1. Set Spend Limits at the Provider
Spend limits are the only guardrail that works when everything else fails, because they live at the model provider, outside anything the agent can touch. An agent stuck in a retry loop, or manipulated into one, can burn through a month of API budget in a night, and no prompt instruction reliably prevents that.
Set a hard monthly cap and a soft alert threshold in every provider dashboard you connect, and start lower than feels necessary; you can raise a limit in thirty seconds, but you cannot refund a runaway weekend. If you route routine crons to a budget model, cap that key too: cheap tokens still multiply.
2. Treat Prompt Injection as Inevitable
Prompt injection is ranked the number one risk for LLM applications in the OWASP GenAI Top 10, and an always-on agent that reads email and browses the web is exposed to it constantly. Any text the agent reads, an email body, a web page, a README, can contain instructions crafted for the agent rather than for you.
The working defenses are structural, not clever prompts. Filter what reaches the agent: if it triages email, forward only specific senders to its inbox instead of granting full mailbox access. Separate reading from acting: untrusted content should never be able to trigger a privileged action without your confirmation. And keep permissions minimal, so a successful injection has nothing to reach. If you connect MCP servers, the same logic applies; see our MCP security best practices for the tool-poisoning variant of this attack.
3. Least Privilege for Every Tool
Least privilege means every tool, key, and integration gets the minimum access that still lets the job run, which converts most catastrophic failures into annoying ones. A read-only calendar token cannot delete your events, and an SSH user without sudo cannot wipe a server, no matter what the model was tricked into attempting.
Apply it in passes: start read-only everywhere, then grant write access only where a workflow actually needs it, one scope at a time. Before wiring in any third-party MCP server, run its config through our free MCP security scanner to catch over-broad permissions and known risk patterns before they reach the agent.
4. Give the Agent Its Own Accounts
The agent should never operate as you: create a dedicated email address and a dedicated GitHub account for it, so its access can be audited, scoped, and revoked without touching your identity. A separate agent inbox also enables the forwarding-rule defense above, and a separate GitHub identity means a compromised agent cannot push to repos you never granted it.
On GitHub, use fine-grained personal access tokens scoped to specific repositories with specific permissions, not classic tokens with account-wide reach. The same principle extends everywhere: its own calendar, its own cloud storage folder, its own Composio connections, never a shared login with you.
5. One Named API Key per Agent
Every agent gets its own named API key at every provider: hermes-prod-telegram, hermes-research, and so on, never a shared personal key. Named keys give you attribution, per-key spend visibility, and instant revocation: when one agent misbehaves you kill one key, not your whole account's access.
This matters double if you run multiple agents or follow the run-both advice from our OpenClaw to Hermes switching post: shared keys make one agent's runaway spend indistinguishable from another's. Rotate named keys on a schedule and delete any key you cannot explain.
6. Secrets via hermes config set, Never Chat
Anything you paste into chat becomes part of the agent's session history, which is stored, searchable, and injected back into future model calls, so chat is the wrong place for a credential. Hermes Agent stores every past conversation in SQLite precisely so it can recall context later; that feature becomes a liability the moment a token lands in it.
Set secrets as configuration instead, where tools read them as environment variables without the model ever seeing the value:
hermes config set GITHUB_TOKEN github_pat_XXXXXXXX
hermes config set COMPOSIO_API_KEY ck_XXXXXXXX
If a secret has ever touched chat, treat it as leaked: revoke it, reissue it, and set the replacement properly. The config workflow is covered in the official Hermes Agent docs.
7. Firewall Everything, Reach It over Tailscale
The agent's VPS should expose nothing to the public internet except what strictly must be there: enable the firewall, keep the web dashboard bound to 127.0.0.1, and reach the box over Tailscale instead of opening ports. A WireGuard-based tailnet gives you encrypted access from your devices while the server stays dark to scanners.
ufw default deny incoming
ufw allow in on tailscale0
ufw enable
Finish with a standing audit: a Sunday cron where the agent reviews its own open ports, active keys, and recent privileged actions, then messages you the report. It pairs well with the daily routines in our Hermes Agent use cases guide, and it means drift gets caught weekly instead of after an incident.
Threat-to-Control Table
Each lockdown maps to a specific failure mode. If you only have an hour, do them in this order.
| # | Threat | Control | Where |
|---|---|---|---|
| 0 | Agent compromises your personal machine | Dedicated, disposable VPS | Hosting |
| 1 | Runaway token spend | Hard monthly caps + alerts | Provider dashboard |
| 2 | Prompt injection via email or web | Sender filtering, no auto-actions on untrusted input | Workflow design |
| 3 | Over-broad tool damage | Read-only first, scoped grants, MCP scanner | Integrations |
| 4 | Identity contamination | Dedicated email + GitHub, fine-grained tokens | Accounts |
| 5 | Unattributable key abuse | One named API key per agent | Provider dashboard |
| 6 | Secrets in session history | hermes config set, never chat | Hermes CLI |
| 7 | Public attack surface | Firewall + localhost binding + Tailscale | VPS network |
What This Checklist Does Not Cover
No checklist makes an autonomous agent risk-free: these seven controls bound the damage, they do not eliminate the possibility that a model gets manipulated or simply makes a destructive mistake within the permissions it legitimately holds. Model-level jailbreaks, supply-chain issues in skills or MCP servers you install, and plain bad judgment on ambiguous instructions all remain.
The honest posture as of July 2026: keep a human approval step on anything irreversible (payments, deletions, public posts), snapshot the VPS regularly, and review the agent's action logs weekly. If a workflow cannot tolerate any failure, it is not a workflow for an autonomous agent yet.
Related Guides
- MCP Security Best Practices for Running Servers Safely
- 6 Hermes Agent Use Cases That Justify Running It 24/7
- Why I Switched from OpenClaw to Hermes Agent
- Hermes Agent VPS: Self-Host on a $5 Server
Go deeper
The operator playbooks
Production-ready PDF guides for OpenClaw and Hermes Agent — $19.99 each.
Skills for this topic
Browse all skills →Frequently Asked Questions
Is Hermes Agent safe to connect to real accounts?
Yes, if you contain it first: an isolated VPS, provider spend limits, least-privilege tokens, dedicated accounts for the agent, named API keys, secrets set via config, and a firewalled network. Connecting real accounts to an unhardened agent on your personal laptop is where the horror stories come from.
How do I stop prompt injection in Hermes Agent?
You cannot fully stop it, so you contain it. Filter inputs (forward only trusted senders to the agent's inbox), never let untrusted content trigger privileged actions without confirmation, and keep permissions minimal so a successful injection has little to reach. OWASP ranks prompt injection as LLM risk number one for a reason.
Should Hermes Agent have its own email and GitHub account?
Yes. Dedicated accounts let you scope, audit, and revoke the agent's access without touching your own identity, enable sender-filtering defenses against prompt injection, and keep a compromised agent away from repositories and mail it was never granted. Use fine-grained GitHub tokens scoped per repository.
What spend limit should I set for Hermes Agent?
Start at roughly double your expected monthly usage with an alert at half the cap, then adjust from real data after a month. The exact number matters less than existing at all: a hard cap is the only control a looping agent cannot talk its way past. Our Hermes Agent cost breakdown has typical monthly figures.
Can I run Hermes Agent securely on my laptop?
For supervised experiments, yes; for an always-on agent with real account access, no. A laptop mixes the agent with your browser sessions, SSH keys, and personal files, and it sleeps, which breaks crons anyway. A $5 to $10 isolated VPS solves both problems at once.





