Course: Master Course · Deep-Dive: DD-08 · Duration: 60 min · Prerequisites: Modules 0–12, DD-01–07
33,000+ stars. Self-evolving skills. Overtook OpenClaw on OpenRouter May 10, 2026 (224B tokens/day). The depth play. The persistent-memory reference.
Hermes (Module 0.2's depth play) competes on memory depth: layered persistent memory, self-evolving skills that compound across sessions. The system that overtook OpenClaw on OpenRouter, shipping a hermes claw migrate command FROM OpenClaw — a competitor aggressive enough to actively pull users from the market leader. On the breadth-vs-depth split, Hermes is unambiguously the depth competitor: where OpenClaw (DD-07) competes on being everywhere an enterprise communicates, Hermes competes on being smarter every time you use it.
The strategic thesis of the depth play: breadth is reproducible (a competitor can add channels), but a compounding memory is not — each user's accumulated skill store is a switching cost. The migrate command is the market expression of this thesis: Hermes is not just matching OpenClaw's reach, it is arguing that depth makes reach obsolete.
Hermes's defining contribution: the agent writes skills (reusable procedures) to persistent memory, and those skills are available in future sessions. This is episodic memory that compounds — each session makes the agent more capable. A skill like "how to authenticate against the internal API" is written once and reused across all future sessions.
This is the deepest memory implementation in the roster. Module 4's 5 tiers go: in-context → working files → semantic store → episodic log → structured DB. Hermes implements all five, with the episodic/self-evolving tier being the differentiator. The skill store is the layer no other harness in the roster carries at this maturity — it is where Hermes earns its reference status on Module 4.
The compounding is the architectural property. Working files (Module 4 tier 2) are static; a semantic store (tier 3) retrieves but does not evolve. Hermes's skill store retrieves and evolves — each session leaves the agent more capable than the last.
Depth is power; depth is also risk (Module 4.3). A self-evolving skill store is a memory-poisoning surface: if an attacker writes a poisoned skill (via prompt injection causing the model to persist malicious content), the payload activates every time that skill is invoked in future sessions. This is worse than working-files poisoning — a poisoned skill compounds across invocations. A poisoned working file is read once; a poisoned skill is retrieved and executed every time a similar task arises, potentially forever.
Hermes uses model-initiated writes — the agent writes skills freely. This is the power (compounding capability) and the risk (compounding poisoning). NemoClaw's governance model (Module 0.2) would make skill writes harness-managed: model proposes, harness validates. The validation layer is the missing defense — without it, a single successful injection persists indefinitely.
The compounding that makes skills valuable is the same compounding that makes poisoning dangerous. A poisoned skill does not just execute once — it is retrieved on every similar future task, and each retrieval is an opportunity for the payload to refine itself, spread to related skills, or escalate. The half-life of a poisoned skill is effectively unbounded; there is no natural decay. This is the strongest argument in the course for Module 4.3's write-gating defense.
Credential flow: standard for the category — API key in environment, no container isolation (no Docker; blast radius is the host). Weaker than OpenCode's containerized server (DD-03).
Skill-write path: the agent can write skills freely. There is no harness-level review of what gets persisted. An attacker who can inject once (via any untrusted input that reaches the model) can persist a payload that activates across all future sessions.
External inputs: same untrusted-tagging gap as OpenClaw (DD-07) — external content enters context without a trust boundary. Combined with model-initiated writes, this means an injected external input can become a poisoned skill that outlives the session.
| Module | Score | Key decision |
|---|---|---|
| 1 Loop | 4 | standard ReAct, memory-augmented |
| 2 Tools | 4 | memory-aware tool surface |
| 3 Context | 4 | memory-augmented context management |
| 4 Memory | 5 | all 5 tiers; self-evolving episodic store (reference) |
| 5 Sandbox | 2 | no container; blast radius is the host |
| 6 Permission | 2 | model-initiated writes (the poisoning surface) |
| 7 Errors | 3 | standard |
| 8 State | 3 | session + persistent skill store |
| 9 Verification | 2 | limited |
| 10 Subagents | — | n/a |
| 11 Observability | 3 | standard |
| 12 Prompt | 4 | ~5k, memory-aware |
| TOTAL | 36/60 |
Hermes scores highest on Module 4 (Memory): 5/5. It is the memory reference. The self-evolving skill model is unmatched. It loses on sandboxing (2/5 — no container) and security (2/5 — model-initiated writes are a poisoning surface). The 36/60 reflects a depth-specialist: maximum on one axis, below median on the safety axes.
Hermes optimizes for memory depth via self-evolving skills that compound across sessions — each session makes the agent more capable. It sacrifices security (model-initiated memory writes are a poisoning surface) and sandboxing (no container). Build on Hermes when memory depth and skill accumulation are the primary value; do not build on it for security-critical work without adding NemoClaw-style write gating.
The self-evolving skill store is Hermes's largest attack surface: a poisoned skill compounds — it activates on every future invocation, not just on read. Model-initiated writes (the agent writes freely) make this surface exploitable. The defense: harness-managed writes (Module 4.3) — model proposes, harness validates. The compounding that makes skills valuable is the same compounding that makes poisoning dangerous.
migrate command proves the pull and validates the depth-over-breadth thesis.# Deep-Dive DD-08 — Hermes Agent: Layered Persistent Memory **Course**: Master Course · **Deep-Dive**: DD-08 · **Duration**: 60 min · **Prerequisites**: Modules 0–12, DD-01–07 > *33,000+ stars. Self-evolving skills. Overtook OpenClaw on OpenRouter May 10, 2026 (224B tokens/day). The depth play. The persistent-memory reference.* --- ## The Subject Hermes (Module 0.2's depth play) competes on **memory depth**: layered persistent memory, self-evolving skills that compound across sessions. The system that overtook OpenClaw on OpenRouter, shipping a `hermes claw migrate` command FROM OpenClaw — a competitor aggressive enough to actively pull users from the market leader. On the breadth-vs-depth split, Hermes is unambiguously the depth competitor: where OpenClaw (DD-07) competes on being everywhere an enterprise communicates, Hermes competes on being smarter every time you use it. The strategic thesis of the depth play: breadth is reproducible (a competitor can add channels), but a compounding memory is not — each user's accumulated skill store is a switching cost. The `migrate` command is the market expression of this thesis: Hermes is not just matching OpenClaw's reach, it is arguing that depth makes reach obsolete. ## Architecture — The Self-Evolving Skill Model Hermes's defining contribution: the agent writes **skills** (reusable procedures) to persistent memory, and those skills are available in future sessions. This is episodic memory that *compounds* — each session makes the agent more capable. A skill like "how to authenticate against the internal API" is written once and reused across all future sessions. This is the deepest memory implementation in the roster. Module 4's 5 tiers go: in-context → working files → semantic store → episodic log → structured DB. Hermes implements all five, with the episodic/self-evolving tier being the differentiator. The skill store is the layer no other harness in the roster carries at this maturity — it is where Hermes earns its reference status on Module 4. ### How a skill is born and reused 1. **Birth**: during a session, the agent encounters a non-trivial procedure (e.g., the right sequence of API calls to file an internal ticket). It writes the procedure as a skill to the persistent store. 2. **Retrieval**: in a future session facing a similar task, the skill is retrieved (semantic match against the task) and injected into context. 3. **Compounding**: each retrieval-and-use reinforces the skill. The agent gets faster at the procedure; the skill accumulates refinements. The compounding is the architectural property. Working files (Module 4 tier 2) are static; a semantic store (tier 3) retrieves but does not evolve. Hermes's skill store retrieves *and* evolves — each session leaves the agent more capable than the last. ## Key Design Decisions 1. **Model-initiated writes.** The agent writes skills freely, without harness-level gating. This is the source of compounding capability (the agent learns from every session) and the source of compounding risk (the agent learns from every session, including poisoned ones). The same design decision is both the feature and the vulnerability. 2. **Depth over breadth.** Fewer channels than OpenClaw; deeper memory. The bet that a compounding memory beats a wide channel surface over time. The OpenRouter overtake (May 2026) is early evidence for the bet. 3. **All five memory tiers.** In-context, working files, semantic store, episodic log, structured DB — all implemented. The only harness in the roster with a real self-evolving episodic store. ## The Memory-Poisoning Surface Depth is power; depth is also risk (Module 4.3). A self-evolving skill store is a **memory-poisoning surface**: if an attacker writes a poisoned skill (via prompt injection causing the model to persist malicious content), the payload activates every time that skill is invoked in future sessions. This is worse than working-files poisoning — a poisoned skill compounds across invocations. A poisoned working file is read once; a poisoned skill is retrieved and executed every time a similar task arises, potentially forever. Hermes uses **model-initiated writes** — the agent writes skills freely. This is the power (compounding capability) and the risk (compounding poisoning). NemoClaw's governance model (Module 0.2) would make skill writes harness-managed: model proposes, harness validates. The validation layer is the missing defense — without it, a single successful injection persists indefinitely. ### Why poisoning compounds here specifically The compounding that makes skills valuable is the same compounding that makes poisoning dangerous. A poisoned skill does not just execute once — it is retrieved on every similar future task, and each retrieval is an opportunity for the payload to refine itself, spread to related skills, or escalate. The half-life of a poisoned skill is effectively unbounded; there is no natural decay. This is the strongest argument in the course for Module 4.3's write-gating defense. ## Phase 4 — Security Audit **Credential flow**: standard for the category — API key in environment, no container isolation (no Docker; blast radius is the host). Weaker than OpenCode's containerized server (DD-03). **Skill-write path**: the agent can write skills freely. There is no harness-level review of what gets persisted. An attacker who can inject once (via any untrusted input that reaches the model) can persist a payload that activates across all future sessions. **External inputs**: same untrusted-tagging gap as OpenClaw (DD-07) — external content enters context without a trust boundary. Combined with model-initiated writes, this means an injected external input can become a poisoned skill that outlives the session. ## Score & Synthesize: 36/60 | Module | Score | Key decision | | --- | --- | --- | | 1 Loop | 4 | standard ReAct, memory-augmented | | 2 Tools | 4 | memory-aware tool surface | | 3 Context | 4 | memory-augmented context management | | 4 Memory | 5 | all 5 tiers; self-evolving episodic store (reference) | | 5 Sandbox | 2 | no container; blast radius is the host | | 6 Permission | 2 | model-initiated writes (the poisoning surface) | | 7 Errors | 3 | standard | | 8 State | 3 | session + persistent skill store | | 9 Verification | 2 | limited | | 10 Subagents | — | n/a | | 11 Observability | 3 | standard | | 12 Prompt | 4 | ~5k, memory-aware | | **TOTAL** | **36/60** | | Hermes scores highest on Module 4 (Memory): 5/5. It is the memory reference. The self-evolving skill model is unmatched. It loses on sandboxing (2/5 — no container) and security (2/5 — model-initiated writes are a poisoning surface). The 36/60 reflects a depth-specialist: maximum on one axis, below median on the safety axes. ### Architect's Verdict > *Hermes optimizes for memory depth via self-evolving skills that compound across sessions — each session makes the agent more capable. It sacrifices security (model-initiated memory writes are a poisoning surface) and sandboxing (no container). Build on Hermes when memory depth and skill accumulation are the primary value; do not build on it for security-critical work without adding NemoClaw-style write gating.* ### MLSecOps Relevance > *The self-evolving skill store is Hermes's largest attack surface: a poisoned skill compounds — it activates on every future invocation, not just on read. Model-initiated writes (the agent writes freely) make this surface exploitable. The defense: harness-managed writes (Module 4.3) — model proposes, harness validates. The compounding that makes skills valuable is the same compounding that makes poisoning dangerous.* ### 3 things Hermes does better 1. **Self-evolving skills**: the deepest memory implementation. Skills compound across sessions — the only harness with a real self-evolving episodic store. 2. **Memory depth**: implements all 5 tiers of Module 4. The reference for the memory axis. 3. **Market momentum**: overtook OpenClaw on OpenRouter (May 2026); the `migrate` command proves the pull and validates the depth-over-breadth thesis. ### 3 things to fix 1. **Add harness-managed write gating** (Module 4.3) — the skill store's poisoning surface. Model proposes, harness validates; a poisoned skill should never persist. 2. **Add sandboxing (Docker)** — blast radius is the host; weaker than OpenCode's containerized server. 3. **Add untrusted-tagging on external inputs** — same gap as OpenClaw (DD-07); combined with model-initiated writes, an injected input can become a persistent poisoned skill. --- ## References 1. **Hermes source** — the memory-depth reference. 2. **DD-07 (OpenClaw)** — the breadth competitor Hermes overtook on OpenRouter (May 2026). 3. **DD-09 (NemoClaw)** — the governance fix for Hermes's write surface (harness-managed writes). 4. **DD-15 (Command Code)** — the architectural cousin: self-evolving *preferences* vs. Hermes's self-evolving *skills*. 5. **Module 0.2** — the breadth-vs-depth split; the OpenRouter overtake. 6. **Module 4** — memory tiers; the self-evolving episodic store as the differentiating tier. 7. **Module 4.3** — memory poisoning; model-initiated vs. harness-managed writes (the needed fix).