注:本文为 "OpenClaw vs. Hermes Agent" 相关合辑。
英文引文,机翻未校。
中文引文,略作重排。
如有内容异常,请看原文。
OpenClaw vs. Hermes Agent: An Honest Comparison of the Two Dominant AI Agent Frameworks of 2026
OpenClaw 与 Hermes 智能体框架:2026 年两大主流开源 AI 智能体框架客观对比
Tobias Jonas | May 17, 2026
托比亚斯·乔纳斯 | 2026 年 5 月 17 日
OpenClaw and Hermes Agent are among the most-discussed open-source AI agent frameworks of 2026. Both have established themselves as serious options for self-hosted agent systems within a short period, both are intensely watched by technical communities, and both bring very different assumptions about how an AI agent should be structured. Those differences are exactly what makes a comparison worthwhile.
OpenClaw 与 Hermes Agent 是 2026 年热度极高的开源 AI 智能体框架。二者在短时间内均成为本地部署智能体系统的实用选型,受到技术圈层广泛关注,同时二者对于 AI 智能体架构设计的思路存在明显区别,这类区别也让二者的对比具备实际参考价值。
This article is deliberately neutral. It does not declare a winner. Instead, it gives decision-makers and experienced engineers the information they need to make a well-grounded choice on their own. We look at the origin story of each project, compare the architectures, walk through the release histories of both frameworks, analyze the security models and the CVEs documented for OpenClaw, document the supply-chain incidents around ClawHub, list opportunities and risks, and close with a comparison table that brings every important dimension into a single view.
本文秉持中立撰写,不判定二者优劣,只为决策人员与资深工程人员提供完整参考依据,便于自主做出适配选型。文章梳理两个项目的发展起源、对比架构设计、梳理版本迭代历程、分析安全设计体系与 OpenClaw 已公开通用漏洞编号、整理 ClawHub 相关供应链安全事件、罗列适配场景与潜在隐患,最后整合全维度对比表格完成内容汇总。
For context, we reference existing deep dives on the innfactory.ai blog at the relevant points, in particular the OpenClaw architecture explained, the OpenClaw AI agent security review, and the OpenClaw ecosystem guide covering ClawHub, NemoClaw, and NanoClaw.
行文过程中,本文同步引用 innfactory.ai 博客平台已发布的深度解析内容,包括 OpenClaw 架构详解、OpenClaw AI 智能体安全评测 以及 涵盖 ClawHub、NemoClaw、NanoClaw 的 OpenClaw 生态指南。
OpenClaw, a project with many names
名称几经变更的 OpenClaw 项目
OpenClaw has appeared under several names. The project originally went by Moltbot and was a personal project of Peter Steinberger. When Steinberger moved to OpenAI on 14 February 2026, the project was transferred into a foundation model and renamed to OpenClaw at the same time. The GitHub organization is openclaw, the commercial SaaS frontend lives at openclawai.io.
OpenClaw 项目曾使用多个名称开展研发,项目最初命名为 Moltbot ,由彼得·施泰因贝格尔独立开发。2026 年 2 月 14 日该开发者入职 OpenAI 后,项目移交至基金会统筹运营并正式更名 OpenClaw。项目代码托管组织标识为 openclaw,商业化云端服务访问域名为 openclawai.io。
For the version numbers readers may run into in issue trackers and CVE databases, it is worth knowing that the project existed long before its public launch. The early phase ran as a v0.x series that reached v0.4.2. During that early phase, the critical security weaknesses that were later documented as CVE-2026-25253, CVE-2026-25891, and CVE-2026-26102 were introduced and eventually fixed.
用户在问题追踪平台与通用漏洞数据库中查阅版本信息时需要知晓,该项目正式公开上线前已完成长期研发,早期迭代版本为 v0.x 系列,最高迭代至 v0.4.2 版本。项目早期研发阶段遗留多项高危安全缺陷,对应漏洞编号 CVE-2026-25253、CVE-2026-25891、CVE-2026-26102 均在此阶段产生,后续完成漏洞修复。
The jumps from v0.x to v3.x are part of the branding story. In November 2025, v3.0 shipped with multi-model support and a workspace system. On 10 January 2026, v3.5 followed with voice integration (ElevenLabs, Edge TTS, Whisper STT) and Playwright-based browser automation. The actual public rollout of the commercial platform at the end of January 2026 marked the point at which OpenClaw entered broader awareness. On 20 February 2026, v4.0 brought a complete architecture rewrite. v4.0 is labelled "The Agent OS" and introduced the gateway daemon, the canvas system, support for more than fifteen messaging platforms, and cron scheduling. Architecturally, OpenClaw was no longer identical to what had been known as Moltbot.
项目版本从 v0.x 直接跨越至 v3.x 属于品牌升级规划范畴。2025 年 11 月发布 v3.0 版本,新增多模型兼容能力与工作空间管理体系;2026 年 1 月 10 日推出 v3.5 版本,接入 ElevenLabs、Edge TTS、Whisper 语音相关能力,同时集成基于 Playwright 的浏览器自动化功能。2026 年 1 月末商业化平台正式对外发布,让 OpenClaw 获得大范围行业关注。2026 年 2 月 20 日上线 v4.0 版本,完成整体架构重构,该版本定位为「智能体操作系统」,新增网关守护进程、可视化画布体系,兼容十五类以上社交消息平台并接入定时任务调度能力,架构层面彻底脱离初代 Moltbot 的设计逻辑。
Hermes Agent, a project from a research lab
科研实验室孵化项目:Hermes Agent
Hermes Agent is the agent framework of Nous Research, an open-source AI lab that has become well known in the AI community for its Hermes model series. The GitHub repository was created on 22 July 2025 and developed internally for roughly eight months before the first public release tag was set. The public launch happened on 12 March 2026 with version 0.2.0. The license is MIT.
Hermes Agent 由知名开源人工智能实验室 Nous Research 研发打造,该实验室依托 Hermes 系列大模型在行业内具备较高知名度。项目代码仓库创建于 2025 年 7 月 22 日,历经约八个月内部研发后敲定首个公开版本标签,2026 年 3 月 12 日正式对外发布 v0.2.0 版本,项目开源协议为 MIT 协议。
The commit distribution shows a fairly clear core authorship with broad community participation. The lead contributor is teknium1 with 2,549 commits, followed by 0xbyt4 with 180 commits. Beyond that, more than 300 additional people from the community have contributed. The project therefore follows a model that is common in academic open-source environments, namely clear maintainers plus a wide contribution base.
从代码提交记录能够看出,项目存在固定核心研发人员,同时吸纳大量社区开发者参与迭代。核心贡献者 teknium1 累计提交代码 2549 次,0xbyt4 累计提交 180 次,另有三百余名社区开发者参与项目优化。该项目沿用学术类开源项目通用运营模式,由固定维护团队统筹研发,面向全网开放代码贡献渠道。
In contrast to OpenClaw, Hermes Agent pursues no commercial SaaS model. There is no official hosting platform, no subscription model, and no marketplace in the style of ClawHub. Instead, Nous Research provides models through the Nous Portal, including MiMo v2 Pro, which is available free of charge within the portal.
与 OpenClaw 不同,Hermes Agent 未布局商业化云端订阅服务,无官方托管运行平台、无付费订阅体系,也未搭建对标 ClawHub 的插件资源市场。Nous Research 仅通过自有平台 Nous Portal 对外分发大模型资源,其中 MiMo v2 Pro 模型可在该平台免费获取使用。
Architecture comparison
架构设计对比
OpenClaw and Hermes Agent answer the same question, namely how an agent connects to the outside world, in very different ways. OpenClaw bets on a hub-and-spoke model with a central gateway daemon. Hermes Agent bets on a modular approach whose primary surface is a command-line interface and whose messaging integrations are an optional gateway mode.
两款框架在智能体对外交互链路的设计思路上存在显著差异。OpenClaw 采用中心辐射式架构,依托中心化网关守护进程完成交互调度;Hermes Agent 采用模块化设计,以命令行交互作为核心使用入口,社交消息平台接入仅作为可选网关拓展功能。
OpenClaw, hub-and-spoke with a gateway daemon
OpenClaw:搭载网关守护进程的中心辐射架构
At the center of OpenClaw sits a long-running daemon, the gateway. It loads all messaging adapters directly into its own process, including WhatsApp via Baileys and Telegram via grammY. Incoming frames are validated against JSON schemas, and the entire communication between clients and the daemon runs through a typed WebSocket API on ws://127.0.0.1:18789. Exactly one gateway runs per host.
OpenClaw 架构核心为常驻运行的网关守护进程,该进程可直接加载全品类社交消息适配组件,包含基于 Baileys 适配的 WhatsApp、基于 grammY 适配的 Telegram 等。外部传入数据帧依据 JSON 数据规范完成合法性校验,客户端与网关进程的全部交互均依托地址为 ws://127.0.0.1:18789 的标准化 WebSocket 接口实现,单台设备仅可运行单个网关服务实例。
text
WhatsApp / Telegram / Slack / Discord / Signal / iMessage / ...
│
▼
┌───────────────────────────────┐
│ Gateway (Daemon) │
│ (Control Plane) │
│ ws://127.0.0.1:18789 │
└──────────────┬────────────────┘
│
├─ Agent Runtime (RPC)
├─ CLI (openclaw ...)
├─ WebChat UI
├─ macOS App
└─ iOS / Android NodesThe wire protocol knows three frame types. A req frame is a client request to the gateway. A res frame is the corresponding response from the gateway. An event frame is a server-side push message. The first frame after connection setup must always be a connect frame, which carries a token for non-local connections. TypeBox schemas serve as the single source of truth. There are six event types, including agent, chat, presence, health, heartbeat, and cron.
框架传输协议划定三类基础数据帧:req 为客户端向网关发起的请求帧,res 为网关返回的响应帧,event 为服务端主动推送消息帧。建立通信连接后,首个传输数据帧必须为 connect 连接帧,跨设备远程连接需在该帧内携带身份令牌。项目统一采用 TypeBox 数据格式作为校验标准,预设六大事件类型,分别为智能体事件、会话事件、在线状态事件、健康监测事件、心跳保活事件与定时任务事件。
Session management runs by default through a shared DM session per agent (main). For multi-user setups, an opt-in Secure DM Mode isolates DMs per sender. Sessions are persisted as JSONL under ~/.openclaw/agents/<agent-id>/sessions/. Skills are hot-reloadable, and the ClawHub marketplace has been available since v4.1.
框架默认采用单智能体统一私聊会话(main)完成会话管理,多用户使用场景下可手动开启私密会话隔离模式,按照发送者独立划分会话空间。会话数据以 JSONL 格式持久化存储于 ~/.openclaw/agents/<agent-id>/sessions/ 目录内。框架支持插件功能热加载,v4.1 版本正式上线 ClawHub 插件资源市场。
OpenClaw supports OpenAI, Anthropic, Google, Ollama, and OpenRouter as model providers, both local and remote.
OpenClaw 可兼容本地部署与云端调用两种接入形式,支持对接 OpenAI、Anthropic、谷歌、Ollama、OpenRouter 等主流大模型服务厂商。
Hermes Agent, modular and CLI-first
Hermes Agent:模块化设计,命令行优先架构
Hermes Agent reverses the relationship. The primary entry point is the command line, not a daemon with built-in messaging adapters. The gateway mode is an optional extension that connects Telegram, Discord, WhatsApp, Slack, Feishu, Lark, and WeCom. Container backends, by contrast, are first-class citizens: Hermes Agent supports Docker, Singularity, Modal, Daytona, and Vercel Sandbox.
Hermes Agent 采用反向设计逻辑,核心使用入口为命令行工具,而非内置消息适配组件的常驻守护进程。网关互联模式仅作为拓展功能,可按需接入电报、迪斯科、瓦次普、斯莱克、飞书、钉钉、企业微信等社交平台。容器化运行是该框架核心适配能力,原生支持 Docker、Singularity、Modal、Daytona、Vercel 沙箱等多种容器运行环境。
The skill system resembles OpenClaw's but differs in one decisive respect. From v0.12 onward, an autonomous curator background process runs that independently evaluates the skill library, removes skills no longer used, and consolidates redundant skills. The memory system is pluggable and supports Honcho as a provider, among others. Browser automation is also solved differently. Instead of a standard Playwright setup, Hermes Agent ships the Camofox Anti-Detection Browser from v0.7.0, explicitly tuned for sites with bot detection.
该框架插件体系逻辑与 OpenClaw 存在相似之处,但核心功能存在明显区分。自 v0.12 版本起,框架新增后台自主整理进程,可自动梳理插件资源库,清理闲置插件并合并重复功能插件。记忆存储体系支持插件式拓展,可对接 Honcho 等第三方存储服务。浏览器自动化实现方案同样存在差异,该框架未采用通用 Playwright 方案,自 v0.7.0 版本起内置 Camofox 反检测浏览器,专门适配具备机器人识别机制的网页场景。
In its MCP integration, Hermes Agent takes an architecturally unusual route. The framework can act as an MCP server itself, providing services to other agents. From v0.8.0, MCP OAuth 2.1 is supported. Together, both capabilities allow running multiple Hermes instances or other agent frameworks as a federated mesh.
在 MCP 协议对接层面,Hermes Agent 采用差异化架构设计,框架自身可作为 MCP 服务端,为其他智能体提供标准化服务。v0.8.0 版本新增 MCP OAuth 2.1 身份认证能力,依托上述两项能力,可实现多组 Hermes 实例与其他异构智能体框架搭建分布式互联网络。
Release history
版本迭代历程
The following tables summarize the most important releases of both frameworks, to the extent they are relevant for a security- and architecture-driven evaluation.
下述表格整理两款框架核心迭代版本信息,适配架构调研与安全评测相关参考需求。
OpenClaw releases
OpenClaw 版本迭代记录
| Version 版本 | Date 发布时间 | Highlights 核心更新内容 |
|---|---|---|
| v3.0 | November 2025 | Multi-model, workspace system, Docker 多模型兼容适配、工作空间管理体系、Docker 容器部署能力 |
| v3.5 | 10 January 2026 | Voice (ElevenLabs, Edge TTS), browser automation via Playwright, Whisper STT 接入语音服务(ElevenLabs、Edge TTS)、Playwright 浏览器自动化、Whisper 语音转文字能力 |
| v4.0 | 20 February 2026 | "The Agent OS", complete architectural rewrite, gateway daemon, canvas system, more than 15 messaging platforms, cron scheduling 定位智能体操作系统、整体架构重构、网关守护进程、可视化画布体系、十五类以上消息平台适配、定时任务调度 |
| v4.1 | 15 March 2026 | ClawHub skills marketplace, Claude Code as ACP harness, skill search across 6 registries, semantic search in the memory system 上线 ClawHub 插件市场、集成 Claude Code 调度工具、六大仓库插件检索、记忆体系语义检索功能 |
| v4.2 | 28 March 2026 2026 年 3 月 28 日 | ACP (Agent Communication Protocol) for inter-agent communication, thread-bound sessions, sub-agent spawning, session_status tool 上线智能体通信协议实现跨智能体交互、线程绑定会话机制、子智能体创建能力、会话状态查询工具 |
| 2026.5.x-beta | May 2026 | Codex runtime support, xAI, Tencent Cloud, sanitized diagnostic exports 支持代码运行时环境、对接 xAI 大模型、适配腾讯云服务、标准化诊断日志导出功能 |
Hermes Agent releases
Hermes Agent 版本迭代记录
| Version 版本 | Date 发布时间 | Highlights 核心更新内容 |
|---|---|---|
| v0.2.0 v0.2.0 | 12 March 2026 | Public launch 项目正式对外公开上线 |
| v0.3.0 to v0.6.0 v0.3.0 ~ v0.6.0 | 12 to 30 March 2026 2026 年 3 月 12 日 - 3 月 30 日 | Five releases in 18 days, fast iteration of core functions 十八天内完成五次版本迭代,快速完善基础核心功能 |
| v0.6.0 v0.6.0 | 30 March 2026 | Profiles for isolated agent instances, MCP server mode, Docker containers, fallback provider chains, Feishu, Lark, and WeCom messaging, 95 PRs 新增独立智能体实例配置文件、MCP 服务端运行模式、Docker 容器适配、模型备用调度链路、飞书/钉钉/企业微信消息对接,合并 95 项代码合并请求 |
| v0.7.0 v0.7.0 | 3 April 2026 | "Resilience Release", pluggable memory providers, Honcho integration, Camofox Anti-Detection Browser, deep gateway hardening, 168 PRs 稳定性专项优化版本、可插拔记忆存储组件、对接 Honcho 服务、内置反检测浏览器、网关安全加固,合并 168 项代码合并请求 |
| v0.8.0 v0.8.0 | 8 April 2026 | Background-process auto-notifications, MiMo v2 Pro free via Nous Portal, MCP OAuth 2.1, approval buttons, 209 PRs 后台消息自动推送、Nous 平台免费开放 MiMo v2 Pro 模型、接入 MCP OAuth 2.1 认证、新增人工审批交互按钮,合并 209 项代码合并请求 |
| v0.12 (2026.4.30) v0.12(2026.4.30) | 30 April 2026 | "The Curator", autonomous background system for the skill library, 1,096 commits, 550 merged PRs, 213 contributors for this release alone 上线插件库自主管理后台进程、累计 1096 次代码提交、合并 550 项代码合并请求,单版本参与贡献开发者达 213 人 |
The release cadence of Hermes Agent in its first 50 days after launch is striking. Between 12 March and 30 April 2026, there were six numbered releases. The jump from 95 to 168 to 209 to over 550 merged pull requests per release also indicates very active community participation. OpenClaw shows a different profile over the same period. Its releases are less frequent but contain larger structural architecture changes in each step.
Hermes Agent 正式上线后五十天内迭代节奏十分紧凑,2026 年 3 月 12 日至 4 月 30 日期间完成六个正式版本发布,单版本合并代码请求数量从 95 项逐步增长至 550 项,足以体现社区开发者参与热度。同一时间段内 OpenClaw 迭代节奏相对平缓,版本发布频次更低,但每一次版本更新均会完成大规模架构层面调整优化。
Security models compared
安全设计体系对比
The security models reveal perhaps the clearest difference between the two frameworks. OpenClaw inherited a rather permissive default model in its early phase and evolved reactively after public incidents. Hermes Agent established a security model with seven documented layers as a design principle from the start.
安全防护体系是两款框架差异化最直观的体现。OpenClaw 早期默认权限管控规则宽松,相关安全优化均在安全事件曝光后被动推进;Hermes Agent 从项目研发初期便制定七层标准化安全防护架构,将安全设计纳入基础研发准则。
OpenClaw security philosophy
OpenClaw 安全设计理念
The original OpenClaw security model was strongly skill-centric. Skills loaded through the plugin system could run in a sandbox that, in the early phase, exhibited clear gaps. In a public advisory from 6 February 2026, Microsoft characterized OpenClaw's default permission model as "overly permissive for enterprise environments". The same advisory recommended sandboxed environments, network segmentation, and approval workflows for skill installation as a minimum baseline.
OpenClaw 初代安全体系以插件功能为核心搭建,插件运行沙箱环境早期存在多项防护漏洞。2026 年 2 月 6 日微软发布安全公告,明确指出该框架默认权限管控规则无法适配企业级使用场景,同时给出基础安全整改方案,包括部署独立沙箱运行环境、划分网络访问权限、增设插件安装人工审批流程。
Releases v0.3.3, v0.4.1, and v0.4.2 addressed the CVEs described in the following sections. Version 4.0 brought a foundational rework of the architecture. Version 4.1 extended ClawHub with a skill-scanning partnership. The trajectory is therefore reactive but visible.
v0.3.3、v0.4.1、v0.4.2 版本针对性修复下文提及的多项通用安全漏洞,v4.0 版本完成底层安全架构重构,v4.1 版本联合第三方安全机构为 ClawHub 插件市场新增插件安全检测机制,整体安全优化均为事后应急整改模式。
Hermes Agent security philosophy
Hermes Agent 安全设计理念
Hermes Agent differs fundamentally because the security layers are part of the initially documented architecture. Specifically, there are seven layers, each addressing a clearly bounded threat vector.
Hermes Agent 安全设计逻辑存在本质区别,七层安全防护架构从项目立项阶段便纳入正式设计文档,每一层防护机制均精准对应一类明确的网络攻击风险场景。
The first layer is user authorization at the gateway. The order of checks runs through per-platform allow-all flag, DM-pairing approved list, platform-specific allowlists, global allowlist, global allow-all, and ends with a deny by default. The DM-pairing system follows OWASP recommendations and NIST SP 800-63-4. It uses an eight-character code from a 32-character unambiguous alphabet without 0, O, 1, and I, generated via secrets.choice(). The code TTL is one hour, the rate limit is one request per user per ten minutes. Up to three pending codes per platform are allowed, and after five failed approvals the user is locked out for one hour. Pairing files are stored with chmod 0600, and codes never appear in stdout.
第一层:网关接入身份权限校验。校验流程依次为平台全局放行配置、私聊配对白名单、平台专属访问白名单、全局通用白名单、全网放行配置,无匹配权限则默认拦截访问。私聊配对机制严格遵循 OWASP 安全规范与 NIST SP 800-63-4 行业标准,配对验证码由无歧义三十二位字符库生成八位随机字符,剔除数字 0、字母 O、数字 1、字母 I 等易混淆字符,调用 secrets.choice() 方法完成随机生成。验证码有效时长为一小时,单用户十分钟内仅可发起一次验证请求,单平台最多留存三组待验证验证码,连续五次验证失败后自动封禁账号一小时。配对配置文件权限设置为 chmod 0600,验证码数据不会输出至标准日志控制台。
The second layer is dangerous command approval. Hermes Agent checks every command execution against a curated list of dangerous patterns. Three approval modes are configurable. In manual mode (the default) every execution is confirmed manually. In smart mode, an auxiliary LLM evaluates risk and decides whether to auto-approve, auto-deny, or prompt the user. In off mode, all checks are disabled, which is functionally equivalent to YOLO mode. YOLO mode itself can be activated via the flag --yolo, the slash command /yolo, or the environment variable HERMES_YOLO_MODE=1. On timeout, fail-closed applies.
第二层:高危执行命令人工审批机制。框架会对所有待执行命令匹配预设高危命令特征库,支持三种管控模式。默认手动模式下,所有高危命令必须经过人工确认方可执行;智能模式依托辅助大模型自主判定执行风险,自动放行、自动拦截或弹窗提醒用户;关闭模式直接停用命令风险检测,等同于无防护运行模式。无防护运行模式可通过 --yolo 启动参数、/yolo 快捷指令、HERMES_YOLO_MODE=1 环境变量三种方式开启,校验流程超时后自动执行拦截策略。
Independent of the approval mode, a hardline blocklist exists that cannot be bypassed. It triggers before any other approval layer and knows no override flag. The following table lists the most important entries.
无论选用何种审批模式,框架均内置不可绕过的强制拦截命令清单,该拦截规则优先级高于所有审批机制,无任何强制放行配置项,核心拦截规则如下表所示:
| Pattern 高危命令特征 | Rationale 拦截原因 |
|---|---|
rm -rf / and variants rm -rf / 及衍生变体命令 |
Deletes the root filesystem 清空服务器根目录全部文件 |
rm -rf --no-preserve-root / |
Explicit root variant 强制跳过保护机制清空根目录 |
| `:(){ : | :& };: :(){ : |
mkfs.* on a mounted root device 挂载根分区设备执行 mkfs.* 格式化命令 |
Formats a running system 强制格式化正在运行的系统磁盘 |
dd if=/dev/zero of=/dev/sd* |
Overwrites physical disks 批量覆盖物理磁盘存储数据 |
Piping untrusted URLs to sh at root level 根目录层级下将不可信网络链接管道传入 sh 执行 |
Remote code execution vector 存在远程代码执行入侵风险 |
The third layer is container isolation. Hermes Agent supports Docker with hardened security flags, without privileged mode and without sensitive mounts by default. In addition, Singularity is supported for HPC environments, Modal for serverless execution, and Daytona and Vercel Sandbox as further options. Within a container, dangerous command checks are automatically skipped because the container itself represents the security boundary.
第三层:容器运行环境隔离防护。框架适配开启安全加固参数的 Docker 运行环境,默认禁止容器特权模式启动、禁止挂载主机敏感目录。同时适配高性能计算场景专用 Singularity、无服务架构 Modal,以及 Daytona、Vercel 沙箱等多种运行载体。容器内部运行的命令会自动跳过高危检测,以容器本身作为独立安全隔离边界。
The fourth layer is MCP credential filtering. MCP subprocesses receive only the environment variables explicitly approved for them. Credential redaction is implemented, SSRF protection is in place, and a Tirith pre-exec security scan runs over the MCP configuration before each execution.
第四层:MCP 协议身份凭证过滤机制。MCP 子进程仅可获取配置文件中明确授权的环境变量,框架内置敏感凭证脱敏处理逻辑与服务端请求伪造防护能力,每次启动 MCP 服务前均会通过 Tirith 安全工具完成配置文件风险扫描。
The fifth layer is context file scanning. Project files are checked for prompt-injection patterns before processing. This is a direct response to the class of attack documented in the OpenClaw ecosystem as CVE-2026-35650.
第五层:项目上下文文件风险扫描。文件正式加载解析前,自动检测文件内是否存在提示词注入攻击特征,该防护机制专门用于抵御 OpenClaw 生态中编号 CVE-2026-35650 对应的同类攻击手段。
The sixth layer is cross-session isolation. Sessions cannot access data or state from other sessions. Cron-job storage paths are hardened against path-traversal attacks, the same class of attack that surfaced in the OpenClaw ecosystem as CVE-2026-25253.
第六层:跨会话数据隔离机制。不同会话之间无法互相读取数据与运行状态,定时任务存储目录增设路径访问限制,可有效防御路径遍历类攻击,该类攻击正是 OpenClaw 漏洞 CVE-2026-25253 对应的核心入侵方式。
The seventh layer is input sanitization. Working-directory parameters in terminal tool backends are validated against allowlists. Shell injection is prevented at the infrastructure level.
第七层:外部输入内容标准化过滤。终端工具后台运行目录参数严格匹配白名单规则校验,从底层架构层面阻断 Shell 命令注入攻击链路。
In addition, MCP OAuth 2.1 has been implemented since v0.8.0. It architecturally solves exactly the problem that became known in the OpenClaw ecosystem as CVE-2026-25891, namely empty authorization headers accepted as valid.
除此之外,v0.8.0 版本接入 MCP OAuth 2.1 标准化认证协议,从架构层面彻底解决 OpenClaw 漏洞 CVE-2026-25891 暴露的认证缺陷,杜绝空身份请求头被判定为合法访问请求的安全隐患。
CVE list for OpenClaw
OpenClaw 已公开通用安全漏洞汇总
OpenClaw accumulated multiple CVEs in its early phase, each addressing a distinct attack vector. The overview below follows the publicly documented entries as of May 2026.
OpenClaw 项目早期研发阶段暴露多项通用安全漏洞,各类漏洞对应不同入侵攻击路径,下文整理截至 2026 年 5 月所有公开备案的漏洞信息。
CVE-2026-25253, skill sandbox escape
CVE-2026-25253:插件沙箱逃逸漏洞
This vulnerability is rated critical with CVSS 9.1. Affected versions are v0.1.0 through v0.3.2, and it was fixed in v0.3.3. Disclosed on 8 February 2026. The cause is a path-traversal bug in the skill loader. Skills could declare paths such as ./data/../../../.ssh/id_rsa. The sandbox system evaluated the path as being "within the skill directory" before the traversal sequence was resolved. The result was read access to arbitrary files on the host system, including SSH keys, AWS credentials, OpenClaw's own ~/.openclaw/identity.json, and browser credential stores. This vulnerability was actively exploited as part of the ClawHavoc campaign. At least 47 malicious skills used the bug.
该漏洞危险等级为高危,通用漏洞评分系统分值为 9.1,影响 v0.1.0 至 v0.3.2 全部版本,v0.3.3 版本完成漏洞修复,漏洞公开披露时间为 2026 年 2 月 8 日。漏洞成因是插件加载模块存在路径遍历代码缺陷,恶意插件可构造 ./data/../../../.ssh/id_rsa 这类跳转路径。沙箱校验逻辑未解析路径跳转规则,直接判定路径处于插件合法目录内,攻击者借此读取服务器主机任意文件,包含 SSH 密钥、亚马逊云服务凭证、OpenClaw 本地身份配置文件、浏览器账号密码缓存文件等。该漏洞曾被大规模恶意攻击活动 ClawHavoc 利用,至少四十七款恶意插件借助该漏洞完成非法入侵。
CVE-2026-25891, MCP server authentication bypass
CVE-2026-25891:MCP 服务端身份认证绕过漏洞
This vulnerability is rated high with CVSS 8.4. Affected versions are v0.2.0 through v0.4.1, and it was fixed in v0.4.2. Disclosed on 19 February 2026. The cause is that MCP servers accepted empty Authorization headers as valid. The check verified only the presence of the header, not its content. Any local process could therefore connect to arbitrary MCP servers without authentication. This vulnerability was used in the MCP proxy campaign to mirror tool invocations to attacker-controlled servers.
该漏洞危险等级为高危,通用漏洞评分系统分值为 8.4,影响 v0.2.0 至 v0.4.1 版本,v0.4.2 版本完成修复,2026 年 2 月 19 日正式公开。漏洞根源为 MCP 服务端仅校验请求头中 Authorization 字段是否存在,未校验字段内身份信息有效性,空身份请求头可直接通过认证校验。本地任意进程均可无权限验证接入各类 MCP 服务端,该漏洞被 MCP 代理劫持攻击活动利用,将智能体工具调用数据同步转发至攻击者管控服务器。
CVE-2026-26102, identity file injection
CVE-2026-26102:身份配置文件篡改注入漏洞
This vulnerability is rated high with CVSS 7.8. Affected versions are v0.1.0 through v0.4.0, and it was fixed in v0.4.1. Disclosed on 14 February 2026. The cause is that skills could overwrite the central identity file ~/.openclaw/identity.json through the configuration API without triggering a user notification or a permission check. The result was a silent privilege escalation, persistence across sessions, and the ability to bend API routing configurations. Twelve variants in ClawHavoc used this gap to duplicate every LLM API call to an external server.
该漏洞危险等级为高危,通用漏洞评分系统分值为 7.8,影响 v0.1.0 至 v0.4.0 版本,v0.4.1 版本完成修复,2026 年 2 月 14 日公开披露。漏洞成因是插件可通过配置接口直接篡改全局身份核心配置文件 ~/.openclaw/identity.json,整个过程无用户消息提醒、无权限拦截校验。攻击者可借此静默提升运行权限、实现跨会话权限留存、篡改接口调度路由规则。ClawHavoc 攻击活动中有十二类恶意程序利用该漏洞,将所有大模型接口调用数据同步外传至第三方恶意服务器。
CVE-2026-24763 and CVE-2026-25157, command injection
CVE-2026-24763 与 CVE-2026-25157:远程命令注入漏洞
Both CVEs are rated high with CVSS 7.5. They are two separate command-injection vulnerabilities in the gateway input handling. Shell metacharacters in unsanitized input fields allowed arbitrary command execution in both cases. Both vulnerabilities were fixed in subsequent gateway releases.
两项漏洞均为高危等级,通用漏洞评分系统分值均为 7.5,均出现在网关服务外部输入数据处理模块。外部传入数据未完成特殊字符过滤,攻击者可植入 Shell 脚本特殊字符实现服务器任意命令执行,两项漏洞均在后续网关迭代版本中完成修复。
CVE-2026-35650, prompt injection and agent config hijack
CVE-2026-35650:提示词注入与智能体配置劫持漏洞
This vulnerability shows that the attack surface does not sit only at the infrastructure level, the LLM behavior itself can become a vulnerability. Prompt-injected model output could overwrite agent configurations, enabling a policy bypass and a host override. In the Hermes Agent security model, this class of attack is addressed by the context file scanning layer.
该漏洞证明安全攻击风险不仅存在于底层服务架构层面,大模型自身输出逻辑同样会产生安全隐患。通过构造恶意提示词篡改大模型输出内容,可间接修改智能体运行配置,绕过权限管控规则并篡改主机运行参数。Hermes Agent 架构中的上下文文件扫描防护层可直接抵御此类攻击方式。
Supply-chain incidents at OpenClaw
OpenClaw 供应链安全攻击事件
In 2026, OpenClaw was the target of two documented supply-chain campaigns, each leveraging different attack techniques. Both run through the ClawHub marketplace and are therefore typical examples of risks that emerge in connection with plugin ecosystems.
2026 年 OpenClaw 先后遭遇两起已备案的供应链恶意攻击事件,两类攻击采用不同入侵手段,攻击入口均依托 ClawHub 插件资源市场展开,也是开源插件生态体系中极具代表性的安全风险案例。
ClawHavoc
ClawHavoc 恶意插件入侵事件
First observed on 3 February 2026. According to publicly available sources, the status in mid-March 2026 was ongoing. Within the campaign, 1,184 malicious packages were identified on ClawHub. 23 legitimate publisher accounts were compromised, infecting auto-update users without their own action. Three distinct threat-actor clusters were identified. The total estimate of installations before package removal lies between 15,000 and 25,000.
该攻击事件最早于 2026 年 2 月 3 日被监测发现,截至 2026 年 3 月中旬攻击行为仍未终止。安全团队在 ClawHub 平台内累计排查出 1184 个恶意插件安装包,二十三个正规插件开发者账号遭到盗号入侵,借助插件自动更新功能静默感染普通用户设备。本次攻击由三组不同黑客团队联合发起,恶意插件下架前累计装机量预估在 15000 至 25000 台设备区间内。
The attack techniques included typosquatting, namely package names such as openclw-gmail instead of openclaw-gmail, dependency confusion via wrongly declared prerequisites, legitimate-looking skills with hidden payloads, and publisher-account takeovers. On the payload side, functions ranged from credential theft (covering SSH keys, AWS credentials, API keys, and browser credential stores) through AMOS Stealer as a macOS-specific component and ClickFix social engineering to cryptominers (XMRig), API-key exfiltration via MCP proxy, and identity-file modification for persistence.
本次攻击采用多种主流供应链入侵手段,包含拼写近似域名仿冒(如使用 openclw-gmail 仿冒正规插件 openclaw-gmail)、依赖包混淆植入恶意程序、外观合规内置恶意执行脚本的伪装插件、开发者账号劫持等。恶意插件搭载的非法功能涵盖各类账号凭证窃取(SSH 密钥、云服务密钥、接口密钥、浏览器登录凭证)、适配苹果电脑系统的 AMOS 信息窃取程序、ClickFix 社交工程钓鱼工具、门罗币挖矿程序、依托 MCP 代理窃取接口密钥、篡改本地身份配置文件实现长期权限留存等。
MCP proxy campaign
MCP 代理流量劫持攻击事件
First observed on 15 February 2026. The campaign is more sophisticated than ClawHavoc because it does not rely on obviously malicious skills but quietly reroutes existing infrastructure. The attack proceeds in three stages. First, a malicious skill installs a legitimate-looking MCP server. Then this MCP server registers itself as a proxy for existing MCP servers, exploiting CVE-2026-25891. Finally, all tool invocations are logged and exfiltrated to an attacker server. From the user's perspective, the system continues to work unremarkably.
该攻击事件于 2026 年 2 月 15 日被监测发现,攻击隐蔽性远高于 ClawHavoc 事件,无需植入明显违规插件,通过篡改现有服务调度链路完成数据窃取。攻击分为三个执行阶段:首先通过轻量恶意插件部署外观合规的伪 MCP 服务端;其次利用 CVE-2026-25891 认证漏洞,将恶意服务端注册为正规 MCP 服务流量代理节点;最后全程记录智能体所有工具调用行为并同步上传至攻击者服务器,整个过程不会影响用户正常使用体验。
Enterprise advisories
企业级安全机构风险提示公告
In February 2026, several major security vendors published their own advisories on OpenClaw. Microsoft on 6 February 2026 rated the default permission model as too permissive for enterprise environments. CrowdStrike on 10 February 2026 reported a 300 percent increase in attacks on AI developer tools in the first quarter of 2026, with OpenClaw being the most frequently attacked framework. Palo Alto Networks Unit 42 on 12 February 2026 published the Lethal Trifecta framework, describing the combination of read access, network access, and ability to act as a maximum risk profile and requiring the structural separation of at least one of these factors as a minimum standard. Cisco Talos on 14 February 2026 published a C2 infrastructure map, YARA rules for ClawHavoc, and a freely available ClawHub Skill Scanner. Meta on 18 February 2026 highlighted the risk of agent-to-agent propagation in linked workflows. The Dutch Data Protection Authority became the first European supervisor to issue an official advisory regarding OpenClaw installations.
2026 年 2 月多家头部网络安全企业针对 OpenClaw 发布专项风险提示公告。2 月 6 日微软发布公告,判定该框架默认权限管控机制无法适配企业生产环境;2 月 10 日科来安全发布行业监测数据,2026 年第一季度人工智能开发工具类攻击事件涨幅达三倍,OpenClaw 为遭受攻击频次最高的智能体框架;2 月 12 日帕洛阿尔托网络安全实验室发布高危风险判定标准,将文件读取权限、外网访问权限、自主执行操作权限三者共存划定为最高风险等级,明确企业部署必须至少隔离其中一项权限;2 月 14 日思科安全团队公布恶意程序通信链路拓扑图、适配 ClawHavoc 攻击的 YARA 查杀规则,同时免费开放 ClawHub 插件安全检测工具;2 月 18 日元科技提醒行业用户警惕联动工作流场景下智能体之间的风险扩散隐患;荷兰数据安全监管机构成为欧洲首个针对 OpenClaw 本地部署场景发布官方风险警示的监管部门。
These advisories should not be read as a blanket negative judgement. They show, rather, that the framework is taken seriously by professional security organizations. Comparable advisories for Hermes Agent do not exist as of May 2026, which can be explained both by the framework's much shorter public availability and by its more conservatively designed security model.
此类风险提示并非全盘否定框架使用价值,反而能够证明该框架已进入专业安全机构重点监测范围。截至 2026 年 5 月,暂无权威机构针对 Hermes Agent 发布同类风险公告,一方面是该框架公开商用时长较短,另一方面源于其从底层搭建的严谨安全防护架构。
Opportunities of both frameworks
两款框架适配优势场景
Both frameworks have independent strengths from an enterprise perspective, which carry different weight depending on the requirement profile.
从企业落地应用角度分析,两款框架均具备专属适配优势,不同业务需求场景下二者实用价值存在明显区分。
OpenClaw brings the clearly larger ecosystem. The ClawHub marketplace covers a wide skill range, and through the commercial SaaS variant at openclawai.io, an entry path exists for teams that do not want to self-host. The messaging-platform support is unusually broad and includes, besides WhatsApp, Telegram, and Slack, also Discord, Signal, iMessage, Google Chat, Microsoft Teams, Matrix, BlueBubbles, Zalo, and WebChat. The canvas UI system offers visualization and interaction capabilities that are rare in the agent-framework space. Through the Agent Communication Protocol since v4.2, OpenClaw provides its own standard for inter-agent communication, supporting sub-agent spawning and thread-bound sessions. The release pace, combined with the foundation structure, suggests a stable trajectory going forward.
OpenClaw 具备规模更大的配套生态体系,ClawHub 市场覆盖全品类实用插件,依托 openclawai.io 云端商业化服务,可满足无本地部署运维能力团队的使用需求。该框架兼容的社交消息平台品类行业领先,除主流海外社交软件外,还适配多款小众即时通讯工具。可视化画布交互界面在同类智能体框架中稀缺度较高,v4.2 版本上线自研智能体通信协议,搭建标准化跨智能体交互规范,支持创建子智能体与线程绑定独立会话。依托基金会统筹运营模式搭配稳定版本迭代节奏,项目长期发展态势趋于平稳。
Hermes Agent scores primarily with its proactively designed security model. The seven security layers address exactly the class of attacks that emerged in the OpenClaw ecosystem during its early phase, without having to be retrofitted reactively. The MIT license without commercial ties and the absence of a parallel SaaS variant make the framework attractive to organizations strictly committed to self-hosted solutions. The release cadence is high, the community is active, and with Nous Research, an organization well established in research is behind the project. The Curator as an autonomous skill-library manager is a feature for which OpenClaw has no direct equivalent. MCP OAuth 2.1 is a new standard that is likely to gain considerable importance for federated agent setups.
Hermes Agent 核心优势为前置化搭建的七层安全防护体系,可提前抵御 OpenClaw 早期暴露的各类安全攻击手段,无需事后紧急修复优化。项目采用无商业绑定的 MIT 开源协议,无云端付费服务体系,高度契合坚持全链路本地私有化部署的机构使用需求。项目迭代更新速度快、社区开发活跃度高,背后依托具备深厚大模型科研实力的 Nous Research 实验室提供技术支撑。框架内置的插件库自主整理后台进程为独家特色功能,暂无同类功能对标 OpenClaw。框架适配的 MCP OAuth 2.1 标准化认证协议,未来会成为分布式互联智能体集群搭建的主流核心规范。
Risks of both frameworks
两款框架潜在使用隐患
Both frameworks also carry risks that must be named honestly.
两款框架在实际落地使用过程中均存在不可忽视的潜在隐患。
For OpenClaw, the CVEs that emerged during the early phase and the documented supply-chain campaigns stand out. The ClawHub ecosystem remains large and therefore an attractive target for attackers. Even after the security patches, the originally permissive default permission model remains an element that must be carefully configured in regulated industries. With the move of the originating developer Peter Steinberger to OpenAI, a dependency on the OpenAI ecosystem also emerged that should be considered strategically. The foundation structure cushions this but does not eliminate it. On top of this come the ongoing enterprise advisories, which compliance teams must account for in approval processes.
OpenClaw 的核心隐患集中于早期遗留通用安全漏洞与已曝光的供应链恶意攻击事件,庞大的 ClawHub 插件生态持续吸引网络攻击者瞄准入侵。即便完成所有漏洞补丁更新,项目原生宽松的默认权限规则在金融、政务等合规严格行业中仍需手动精细化调整配置。项目初代核心开发者入职 OpenAI 后,项目发展方向逐步与 OpenAI 生态产生绑定关联,基金会统筹模式仅能弱化该关联,无法彻底摆脱生态依赖。各类企业级安全风险提示公告持续发布,也增加了企业合规部门的项目上线审批难度。
For Hermes Agent, the risks are different. With a public launch in March 2026, the framework is significantly younger than OpenClaw. The ecosystem is smaller, and there is neither a commercial support offering nor an official hosting variant. The YOLO mode, which disables all approval prompts, is a potential risk in CI/CD environments or automated setups if activated uncritically. The hardline blocklist softens this but does not eliminate it. Even though no CVEs are publicly documented through May 2026, that says nothing about the existence of vulnerabilities, only about their public visibility. The fact that Hermes Agent is supported by a smaller maintainer base can be read as a strength (clear responsibility) or as a risk (bus factor), depending on perspective.
Hermes Agent 存在差异化使用隐患,该框架 2026 年 3 月才正式公开上线,研发成熟度远低于 OpenClaw,配套插件生态资源体量偏小,无商业化技术售后支持与官方云端托管服务。框架内置的无防护运行模式若在持续集成、自动化运维场景中随意开启,会大幅提升服务器入侵风险,内置强制拦截命令清单仅能降低风险概率,无法彻底杜绝隐患。截至 2026 年 5 月暂无公开备案通用安全漏洞,仅代表漏洞未对外披露,不代表框架不存在底层安全缺陷。项目核心维护团队人员规模较少,优势为权责划分清晰,弊端则是核心人员变动容易直接影响项目整体迭代进度。
Large comparison table
全维度综合对比表
| Dimension 对比维度 | OpenClaw | Hermes Agent |
|---|---|---|
| 项目起源 Origin | Moltbot by Peter Steinberger, foundation since 14 February 2026 初代项目 Moltbot 由彼得·施泰因贝格尔研发,2026 年 2 月 14 日移交基金会运营更名 | Nous Research, repo since 22 July 2025, launch v0.2.0 on 12 March 2026 隶属 Nous Research 实验室,2025 年 7 月搭建代码仓库,2026 年 3 月 12 日发布 v0.2.0 正式版 |
| 开源协议 License | MIT, commercial SaaS at openclawai.io MIT 协议,同步推出 openclawai.io 商业化云端服务 | MIT, no commercial SaaS MIT 协议,无任何商业化云端付费服务 |
| 架构设计 Architecture | Hub-and-spoke with gateway daemon, built-in messaging adapters 中心辐射式架构,搭载内置消息适配组件的网关守护进程 | Modular, CLI-first, optional gateway mode, container backends as default 模块化架构,命令行优先设计,网关互联为拓展功能,原生适配容器化运行 |
| 部署方式 Deployment | Self-hosted plus SaaS, ClawHub as package registry 支持本地私有化部署+云端托管部署,ClawHub 作为插件资源仓库 | Self-hosted only, Nous Portal provides models 仅支持本地私有化部署,依托 Nous 平台获取配套大模型资源 |
| 消息平台适配 Messaging platforms | More than 15 platforms, including WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Teams, Matrix, BlueBubbles, Zalo, Google Chat 适配十五类以上平台,涵盖海外主流社交软件、办公通讯工具 | Telegram, Discord, WhatsApp, Slack, Feishu, Lark, WeCom 适配海外主流平台与国内飞书、钉钉、企业微信 |
| 浏览器自动化 Browser Automation | Based on Playwright, universal compatibility 基于 Playwright 开发,通用网页适配性强 | Built-in Camofox anti-detection browser since v0.7.0 v0.7.0 版本起内置反检测专用浏览器,规避站点风控 |
| 模型接入 Model Access | OpenAI / Anthropic / Google / Ollama / OpenRouter 兼容主流闭源大模型与本地开源大模型 | Full local model priority, support mainstream third-party model interfaces 优先适配本地私有大模型,同时兼容第三方通用模型接口 |
| 会话管理 Session Manage | Shared main session by default, optional secure isolated DM mode 默认统一共用会话,可手动开启私密私聊隔离模式 | Strict cross-session data isolation, independent permission control 严格实现跨会话数据隔离,独立划分权限管控 |
| 安全体系 Security System | Post-event security optimization, loose default permission strategy 事件驱动式安全迭代,初始默认权限管控宽松 | Seven-layer built-in security architecture, whole-process risk interception 内置七层原生安全防护架构,全流程拦截各类攻击风险 |
| 漏洞情况 Vulnerabilities | Multiple confirmed CVEs, multiple supply chain attack incidents 已披露多项高危通用漏洞,发生多起供应链恶意入侵事件 | No public disclosed CVE records as of May 2026 截至2026年5月无公开备案通用安全漏洞 |
| 插件机制 Skill Mechanism | Manual management + manual hot reload, large ecosystem volume 人工管理搭配手动热加载,插件生态资源体量庞大 | Auto-curation background process, automatic sorting and cleaning 配备插件自主整理后台,自动归类清理冗余插件 |
| 运行环境适配 Operating Env | Mainstream Docker deployment, single gateway centralized operation 主流Docker部署为主,单网关统一集中调度运行 | Docker / Singularity / Modal / Sandbox multi-container adaptation 兼容多种容器架构,适配高性能计算、无服务等多元场景 |
| 通信协议 Communication Protocol | Self-developed ACP agent communication protocol 自研ACP智能体跨端通信协议 | Native support MCP & MCP OAuth 2.1 standard protocol 原生兼容MCP协议与MCP OAuth 2.1权威认证协议 |
| 迭代节奏 Update Rhythm | Low release frequency, each version focuses on large architectural adjustment 版本发布频次偏低,侧重大规模底层架构优化 | Fast iteration speed, short-cycle functional iteration and community optimization 迭代更新迅速,短周期完成功能增补与社区优化 |
| 适用场景 Applicable Scenarios | Multi-platform message linkage, commercial cloud service delivery, visual workflow arrangement 多平台消息联动、商业化云端交付、可视化流程编排 | Enterprise private deployment, high-security internal office, stable autonomous agent operation 企业私有化部署、高安全等级内网办公、稳定自主智能体运行 |
| 运维难度 Operation Difficulty | High early configuration cost, rich follow-up ecological resources 前期配置成本偏高,后期生态配套资源充足 | Low initial access threshold, simple deployment and strict safety rules 上手部署简洁,配置门槛低,安全约束规则清晰 |
Final Summary
总结评述
From practical application perspectives, OpenClaw takes advantage of complete ecological layout and rich multi-terminal linkage capabilities, which is more suitable for commercial productization, public platform access and multi-scene message aggregation business.
从实际落地角度来看,OpenClaw依托完善的生态布局与成熟的多端联动能力,更适配商业产品化搭建、公网平台接入、多渠道消息聚合类业务。
Hermes Agent focuses on inherent safety performance and lightweight private deployment attributes, with stricter risk control logic from the bottom layer, which is more in line with the usage demands of financial, government affairs and other industries that attach importance to data confidentiality and access security.
Hermes Agent 侧重原生安全性能与轻量化私有化部署属性,底层风控逻辑更为严谨,更加贴合金融、政务等注重数据保密与访问安全行业的使用需求。
Both frameworks are still in the rapid development stage. Users can select matching frameworks according to business safety standards, deployment modes and functional expansion demands.
两款框架目前均处于高速发展阶段,使用者可依据业务安全标准、部署形式、功能拓展需求择优选用。
Hermes Agent vs OpenClaw: Which Open-Source AI Agent Should You Use?
Hermes Agent 对比 OpenClaw:如何选择开源人工智能智能体
Hermes Agent and OpenClaw are both open-source AI agents with persistent memory and tool integrations. Here's how they compare for real automation work.
Hermes Agent 与 OpenClaw 均为搭载持久化记忆功能与工具集成能力的开源人工智能智能体,本文结合实际自动化工作场景展开二者对比。
MindStudio Team·May 1, 2026
MindStudio 团队 · 2026 年 5 月 1 日
Two Open-Source Agents, Very Different Philosophies
两款开源智能体,设计思路存在差异
If you're evaluating open-source AI agents for automation work, you've probably run into Hermes Agent and OpenClaw somewhere in the same breath. Both are community-built, both support persistent memory and tool use, and both aim to give developers a self-hostable agent foundation they actually control.
开展自动化相关工作并筛选开源人工智能智能体时,常会同时接触 Hermes Agent 与 OpenClaw。两款项目均由社区协同开发,均可接入持久化记忆模块与各类实用工具,均可为开发者提供可本地部署、自主管控的智能体基础架构。
But the similarities mostly stop there. The multi-agent automation space has split into two distinct camps: agents built for modularity and composability versus agents built for simplicity and quick deployment. Hermes Agent and OpenClaw sit on opposite sides of that line --- and choosing the wrong one for your use case means fighting the framework instead of building with it.
二者的相同特性仅有上述内容。多智能体自动化应用领域逐步形成两类研发方向,一类面向模块化组合场景研发,一类面向轻量化快速部署场景研发。Hermes Agent 与 OpenClaw 分别适配两类不同研发方向,应用场景与项目选型出现偏差时,项目开发进程会受到框架本身规则的制约。
This comparison breaks down what each tool actually does, where each one excels, and which types of automation work each is better suited for.
本文梳理两款工具具备的功能特性、适用运行环境以及可承接的自动化工作类型。
What Hermes Agent Is Built For
Hermes Agent 适配应用方向
Hermes Agent is an open-source autonomous agent framework built around function-calling language models --- most commonly the Nous Research Hermes series, which was specifically fine-tuned for structured tool use and instruction following. The project's core design assumption is that agents should be composable: small, focused agents that each handle a specific task, coordinated by an orchestrator.
Hermes Agent 是依托函数调用型语言模型搭建的开源自主智能体框架,该框架常搭配 Nous Research 推出的 Hermes 系列模型使用,此类模型经过专项微调,适配结构化工具调用与指令执行流程。该项目在设计阶段确立组合式运行逻辑,拆分出功能单一、任务明确的小型智能体,依靠调度程序完成统一统筹运转。
The framework leans heavily on:
该框架依托以下功能模块完成运行:
- Structured outputs
结构化输出能力
Hermes-based models produce clean JSON for tool calls without extensive prompt engineering
搭载 Hermes 系列模型可直接输出规范 JSON 格式工具调用内容,无需编写大量提示词完成格式约束 - Multi-agent orchestration
多智能体调度能力
You can chain agents together, passing context and results between them
可完成多智能体串联排布,实现运行上下文与任务执行结果的相互传递 - Memory modules
记忆存储模块
Both short-term (conversation context) and long-term (vector store retrieval) are built into the architecture
架构内部集成短期对话上下文存储模块与基于向量库检索的长期记忆存储模块 - Tool registration
工具注册机制
Tools are defined as typed function signatures, and the agent routes to them based on the model's reasoning
工具可按照标准化函数格式完成定义,智能体依托模型逻辑判定完成对应工具调用
The setup is Python-first. If you're comfortable writing agent logic in code, defining tools as decorated functions, and managing your own model serving (via Ollama, vLLM, or a hosted API), Hermes Agent gives you a lot of control.
该项目以 Python 作为主流开发语言。使用者可通过代码编写智能体运行逻辑,以装饰器函数形式定义各类工具,同时依托 Ollama、vLLM 或线上接口自主搭建模型运行服务,以此实现对项目各项运行参数的自主调配。
Where It Gets Complicated
项目部署运行存在的客观条件
That control comes with complexity. Setting up a full Hermes Agent deployment with persistent memory and multiple tool integrations requires:
自主调配权限的获取对应相应部署流程,完成搭载持久化记忆与多类工具集成的完整 Hermes Agent 部署工作,需要完成以下流程:
- Running or connecting to a compatible LLM endpoint
搭建本地大语言模型服务,或接入符合适配标准的外部模型接口 - Configuring a vector database for long-term memory (Chroma, Qdrant, or similar)
配置 Chroma、Qdrant 等向量数据库,用于承接长期记忆存储业务 - Writing and registering tool definitions
完成各类工具的代码编写与项目内部注册流程 - Building the orchestration layer if you want multi-agent behavior
搭建调度层级程序,以此实现多智能体协同运转模式
For developers who want to understand every component in the stack, this is a feature. For teams that need to ship something quickly, it can be a significant time sink.
该部署模式便于研发人员理清项目全层级组件运行逻辑,同时会拉长项目落地周期,不适用于存在快速上线需求的开发团队。
What OpenClaw Is Built For
OpenClaw 适配应用方向
OpenClaw takes a different approach. It's designed as a higher-level agent runtime --- something closer to a complete autonomous agent system out of the box rather than a framework you assemble from parts.
OpenClaw 采用差异化设计思路,定位为高层级智能体运行程序,项目内置完整运行组件,无需使用者拆分组装各类基础模块,可直接作为成型自主智能体系统投入使用。
The project focuses on three things:
该项目的研发设计围绕三类功能方向展开:
- Ease of deployment
简易化部署模式
Single-command startup with Docker, minimal configuration required
支持通过 Docker 执行单行指令完成启动,部署阶段所需配置内容数量较少 - Built-in tool integrations
内置集成各类实用工具
Web search, file operations, code execution, and browser automation are included by default, not add-ons
项目原生搭载网页检索、文件处理、代码运行、浏览器自动化等功能,无需额外加装拓展组件 - Planning and self-correction
任务规划与自主校验机制
The agent uses a plan-execute-reflect loop, where it generates a task plan, executes steps, and reviews its own results before proceeding
智能体采用规划-执行-复盘循环运行模式,先行生成任务执行方案,依次完成流程操作,完成阶段性工作后核验执行结果,再推进后续流程
OpenClaw works with standard OpenAI-compatible APIs, which means you can point it at GPT-4, Claude (via a compatibility layer), or any locally hosted model with an OpenAI-compatible endpoint. You're not locked into a specific model family.
OpenClaw 可对接所有符合 OpenAI 接口规范的服务端口,使用者可接入 GPT-4、适配接口格式后的 Claude 模型,以及所有搭建对应标准接口的本地部署模型,项目运行不受单一模型品类限制。
Where It Gets Complicated
项目部署运行存在的客观条件
The flip side of OpenClaw's batteries-included design is that customization has limits. Adding a novel tool integration or changing how the memory system works means modifying internals rather than extending a defined API. The codebase is less modular, so teams that outgrow the defaults often find themselves forking the project rather than extending it cleanly.
全组件内置的设计模式会对项目自定义调整范围形成约束。新增非常规工具、调整记忆模块运行逻辑时,需要改动项目底层源码,无法依托标准化接口完成功能拓展。项目代码模块化程度偏低,当默认功能无法满足使用需求时,开发团队多采用分支复刻的方式调整项目内容,难以完成标准化功能拓展。
Multi-agent support also lags behind Hermes Agent. OpenClaw is primarily built around a single-agent loop --- it handles complex tasks through planning rather than delegation to specialized sub-agents.
该项目在多智能体协同运转相关功能的完善程度上存在不足。OpenClaw 以单一智能体循环运行为主体运行模式,依靠任务拆分规划完成复杂工作,不采用拆分专项子智能体分发任务的运行方式。
Head-to-Head: The Key Comparison Dimensions
多维度横向对比
Setup and Time to First Run
部署流程与启用耗时
Hermes Agent: Expect 2--4 hours for a full local setup with memory and tools configured. More if you're setting up a local model server for the first time.
Hermes Agent:完成包含记忆模块与各类工具配置的完整本地部署,耗时区间为 2 至 4 小时;首次搭建本地模型服务时,整体耗时会出现增加。
OpenClaw: Docker Compose gets you running in under 30 minutes. Web search and file tools work immediately. You're doing real tasks the same day.
OpenClaw:借助 Docker Compose 工具可在 30 分钟以内完成部署启动,网页检索、文件处理等内置工具部署完成后可直接启用,当日即可投入实际工作使用。
Memory Architecture
记忆存储架构
Both tools support persistent memory, but they implement it differently.
两款项目均可实现持久化记忆存储功能,对应的架构搭建方式存在区别。
Hermes Agent uses a modular memory system where you choose your own backend. Short-term memory is managed as sliding context windows. Long-term memory uses embeddings stored in a vector database of your choice. You control the chunking strategy, the embedding model, and the retrieval logic.
Hermes Agent 采用模块化记忆架构,使用者可自主选定存储后端程序。短期记忆依托滑动上下文窗口完成管理,长期记忆依托使用者自选向量数据库存储向量嵌入数据,记忆内容拆分规则、嵌入模型选型、数据检索逻辑均可由使用者自主设定。
OpenClaw ships with a default memory stack --- typically a local SQLite or Redis store for episodic memory and a built-in vector store for semantic retrieval. It works well with no configuration, but swapping in a different backend is non-trivial.
OpenClaw 搭载固定默认记忆存储组合,一般采用本地 SQLite 数据库或 Redis 数据库存储情景记忆内容,依靠内置向量存储组件完成语义检索工作。无额外配置操作即可正常运行,更换存储后端程序需要执行较多调整流程。
If memory system architecture matters to your use case --- for example, building an agent that needs very specific retrieval logic --- Hermes Agent gives you more control. For standard use cases, OpenClaw's defaults are good enough.
针对存在定制化记忆检索逻辑等特殊使用需求的场景,Hermes Agent 可提供更多可调参数;日常常规使用场景下,OpenClaw 的默认配置可满足运行需求。
Tool Integration
工具集成模式
This is one of the sharpest differences between the two projects.
工具集成模式是两款项目差异化特征较为明显的板块。
Hermes Agent defines tools as typed Python functions with docstrings. The framework uses these signatures to tell the model what tools are available and how to call them. Adding a new tool is clean and explicit. But out of the box, you're starting with whatever the community has contributed, which varies.
Hermes Agent 以附带注释文档的标准化 Python 函数完成工具定义,框架依托函数格式向模型同步可用工具清单与调用方式,新增工具的流程规范清晰。项目初始状态下仅搭载社区公开贡献的工具,工具数量与功能类型存在浮动空间。
OpenClaw ships with a substantial built-in toolset:
OpenClaw 项目初始状态内置大量实用工具:
- Web search (via SerpAPI or Brave Search)
网页检索(适配 SerpAPI、Brave Search 接口) - File read/write
文件读写操作 - Python code execution in a sandboxed environment
沙箱环境内 Python 代码运行 - Browser automation (via Playwright)
基于 Playwright 实现浏览器自动化操作 - Shell command execution
终端指令执行
For general automation work, OpenClaw's defaults cover a lot of ground without writing a single line of tool definition code.
开展常规自动化相关工作时,使用者无需编写工具定义代码,依靠 OpenClaw 内置工具即可完成多数业务流程。
Multi-Agent Support
多智能体协同能力
Hermes Agent was designed with multi-agent patterns in mind. You can define orchestrator agents that spawn or call specialist agents, pass structured results between them, and build workflows that look more like a directed graph of agents than a single loop.
Hermes Agent 在设计阶段纳入多智能体运行逻辑,使用者可搭建调度型智能体,实现专项功能智能体的启用与调用,在不同智能体之间传递标准化执行数据,搭建出有向图式的多节点工作流程,区别于单一循环运行模式。
OpenClaw handles complexity through task decomposition --- a single agent breaks a goal into steps and works through them sequentially or with branching logic. This works well for many tasks, but it doesn't support true parallel agent execution or delegation to domain-specific sub-agents.
OpenClaw 依靠任务拆分方式处理复杂工作,由单一智能体将整体目标拆分为细分流程,按照顺序逻辑或分支逻辑依次执行。该模式可适配多数常规工作,无法实现多智能体并行运转,也不支持按照业务领域拆分子智能体分发任务。
If your automation work requires multiple specialized agents working in parallel --- say, one agent researching, another writing, and a third reviewing --- Hermes Agent is the right architecture.
存在多类专项智能体并行作业需求,例如分别承担资料检索、内容编写、内容审核等工作时,Hermes Agent 的架构模式更为适配。
Model Compatibility
模型适配范围
Hermes Agent is optimized for models trained on Hermes-style instruction and function-calling formats. You can use other models, but you may need to adjust prompt templates and tool-calling logic to match the model's expected format. It works best with Nous Hermes 2, Hermes 3, or other models with strong function-calling fine-tuning.
Hermes Agent 针对适配 Hermes 指令格式与函数调用格式的训练模型完成运行优化,接入其他品类模型时,需要调整提示词模板与工具调用逻辑,匹配对应模型的输出输入格式。该项目与 Nous Hermes 2、Hermes 3 等经过函数调用专项微调的模型适配度更高。
OpenClaw works with any OpenAI-compatible endpoint. This means GPT-4o, Claude via a compatibility wrapper, Llama 3 served through Ollama, Mistral, and others. The planning loop is prompt-based and adapts reasonably well across model families.
OpenClaw 可对接所有符合 OpenAI 接口标准的服务端口,可接入 GPT-4o、经过格式适配后的 Claude 模型、依托 Ollama 部署的 Llama 3 模型、Mistral 系列模型等各类主流模型。项目内部任务规划流程依托提示词搭建,可适配不同品类的大语言模型。
Community and Maintenance
社区生态与项目维护状态
Both projects are community-maintained, which means support quality varies. A few things worth noting:
两款项目均由开源社区负责日常维护,相关技术支持资源存在差异,相关参考信息如下:
- Hermes Agent tends to attract developers who are deep in the LLM fine-tuning and agent research space. Issues are technical, discussion is detailed, and new features often come from people building serious production systems.
参与 Hermes Agent 项目研发交流的人员,多深耕大模型微调与智能体技术研究领域,相关问题讨论偏向技术底层内容,项目新增功能多来源于实际线上业务场景的实践总结。 - OpenClaw has a broader, more beginner-friendly community. Documentation is more accessible. There are more tutorials and starter guides.
OpenClaw 面向的社区受众范围更广,适配入门级使用者,项目配套文档通俗易懂,网络中相关入门教程与实操指引内容数量更多。 - Neither project has a commercial backer, so maintenance continuity is always a risk to evaluate.
两款项目均无商业资本专项扶持,项目长期稳定维护状态需要使用者自行评估研判。
Comparison Table
项目参数对比表
表格内容全部单元格左对齐,英文在上、中文分行呈现
| Dimension 对比维度 | Hermes Agent | OpenClaw |
|---|---|---|
| Setup time 部署耗时 | 2--4 hours 2 至 4 小时 | < 30 minutes 30 分钟以内 |
| Model flexibility 模型适配自由度 | Hermes-optimized, adapts with effort 适配 Hermes 系列模型,接入其他模型需调整配置 | Any OpenAI-compatible API 适配所有符合 OpenAI 接口标准的服务端口 |
| Default toolset 默认内置工具 | Minimal, add your own 内置工具数量偏少,需自行拓展 | Substantial out of the box 初始内置工具品类齐全 |
| Memory architecture 记忆存储架构 | Fully modular, bring your own backend 全模块化设计,可自主搭配存储后端 | Good defaults, harder to swap 默认配置可直接使用,更换后端流程繁琐 |
| Multi-agent support 多智能体适配能力 | Native, first-class 原生适配,功能体系完善 | Single-agent with task planning 以单智能体运行为主,依靠任务拆分处理复杂工作 |
| Customization depth 自定义调整空间 | High 调整空间充足 | Moderate 调整空间适中 |
| Best language 主流开发语言 | Python Python | Python Python |
| Community size 社区规模 | Smaller, more technical 规模偏小,交流内容偏向底层技术 | Larger, more accessible 规模更大,入门友好度更高 |
| Docker deployment Docker 部署模式 | Possible, not primary workflow 支持部署,非主流运行方式 | Native Docker support 原生适配 Docker 部署流程 |
Which Should You Use?
项目选型参考
Use Hermes Agent if:
适配 Hermes Agent 的应用场景
- You're building a multi-agent system where different agents handle different domains
搭建多智能体协同系统,划分不同智能体承接不同业务领域工作 - You need precise control over memory retrieval, tool definitions, and agent coordination logic
需要自主把控记忆检索规则、工具定义格式、智能体协同运行逻辑 - You're already running Hermes-family models or want to leverage structured function-calling fine-tuning
已部署 Hermes 系列模型,或是需要依托结构化函数调用微调能力开展研发 - You have Python developers who can own the integration work
团队配备可独立完成功能集成开发的 Python 研发人员 - You're building something production-grade where you want clean, testable agent components
搭建可投入正式线上运行的项目,要求智能体组件结构规范、可完成标准化测试
Use OpenClaw if:
适配 OpenClaw 的应用场景
- You need something running quickly with minimal setup
追求快速落地运行,简化前期部署配置流程 - Your use case fits the default toolset --- web research, file operations, code execution
业务场景可依靠网页检索、文件处理、代码运行等内置工具完成 - You're running a single autonomous agent that handles complex tasks through planning
采用单一自主智能体模式,依靠任务规划模式处理各类复杂工作 - You want broad model compatibility without tuning prompt templates
希望兼容多品类大语言模型,无需反复调整提示词模板 - You're prototyping or evaluating whether an autonomous agent approach works for your problem before investing in architecture
处于项目原型搭建阶段,先行验证智能体运行模式的适配性,再开展正式架构搭建工作
Frequently Asked Questions
常见问答
What is Hermes Agent?
什么是 Hermes Agent
Hermes Agent is an open-source Python framework for building autonomous AI agents using function-calling language models. It's optimized for models from the Nous Research Hermes family, which are fine-tuned for structured tool use. The framework supports persistent memory, tool registration, and multi-agent orchestration. It's designed for developers who want full control over their agent architecture.
Hermes Agent 是基于 Python 开发的开源框架,用于依托函数调用型语言模型搭建自主人工智能智能体。该项目针对经过结构化工具调用微调的 Nous Research Hermes 系列模型完成运行优化,支持持久化记忆存储、工具注册接入、多智能体协同调度等功能,面向需要自主把控智能体整体架构的研发人员。
What is OpenClaw?
什么是 OpenClaw
OpenClaw is an open-source autonomous agent runtime focused on ease of deployment and built-in tooling. It ships with web search, file operations, code execution, and browser automation out of the box. It uses a plan-execute-reflect loop and works with any OpenAI-compatible model endpoint. It's designed for faster setup and general-purpose automation without extensive configuration.
OpenClaw 是侧重简易部署与内置工具集成的开源自主智能体运行程序,项目初始内置网页检索、文件处理、代码运行、浏览器自动化等功能模块,采用规划-执行-复盘循环运行机制,可对接所有符合 OpenAI 接口标准的模型服务端口,适配无需复杂配置、追求快速搭建的通用自动化业务场景。
Can Hermes Agent and OpenClaw work together?
两款项目是否可联动运行
Not in a native integration sense --- they're separate frameworks with different architectures. However, you could in principle use OpenClaw as a standalone agent within a larger system coordinated by Hermes Agent's orchestration layer, though you'd need to build the interface between them. In practice, most teams choose one framework and build within it.
两款项目架构体系相互独立,不存在原生联动对接机制。理论层面可将 OpenClaw 作为独立运行单元,接入 Hermes Agent 调度程序搭建的整体系统内使用,该方式需要使用者自行开发双向对接接口。实际项目开发过程中,多数团队仅选定单一框架完成全流程搭建。
Which open-source AI agent is better for multi-agent automation?
多智能体自动化场景适配项目
Hermes Agent is the stronger choice for multi-agent architectures. It was designed with agent composition in mind --- orchestrators can spawn or delegate to sub-agents, and results pass between them in structured formats. OpenClaw handles complexity through single-agent task planning, which works for many use cases but doesn't support parallel agent execution or domain specialization in the same way.
搭建多智能体架构体系时可选用 Hermes Agent,该项目在设计阶段纳入智能体组合运行逻辑,调度程序可启用各类子智能体并分发对应任务,各类智能体之间可传输标准化格式的执行数据。OpenClaw 依靠单智能体任务拆分模式处理复杂工作,该模式可适配多数常规场景,无法实现同类别的多智能体并行作业与业务领域专项拆分运行。
Do these agents require a specific LLM?
两款项目是否限定大语言模型品类
Hermes Agent works best with Hermes-series models due to their function-calling fine-tuning, though it can be adapted for other models with prompt template adjustments. OpenClaw works with any OpenAI-compatible API, giving it broader model flexibility --- including locally hosted models via Ollama or other serving frameworks.
依托函数调用专项微调特性,Hermes Agent 与 Hermes 系列模型适配度更高,调整提示词模板后也可接入其他品类模型。OpenClaw 无特定模型品类限制,所有搭载 OpenAI 标准接口的模型均可接入使用,包含依托 Ollama 等程序本地部署的各类开源模型,模型适配范围更广。
What are the main alternatives to Hermes Agent and OpenClaw?
同类替代开源项目
The broader open-source agent ecosystem includes LangChain and LangGraph for composable agent pipelines, AutoGen from Microsoft for multi-agent conversation patterns, CrewAI for role-based agent teams, and Agno (formerly PhiData) for lightweight agent definitions. Each has a different trade-off between control and simplicity. For teams that want to skip self-hosting entirely, platforms offer managed agent infrastructure with visual tooling.
开源智能体领域存在多款同类项目,LangChain 与 LangGraph 可用于搭建组合式智能体运行流程,微软推出的 AutoGen 适配多智能体对话交互场景,CrewAI 适用于搭建分职能智能体协作团队,Agno(原 PhiData)多用于轻量化智能体快速定义。各类项目在自主调控权限与简易使用模式之间形成不同平衡关系。无需开展本地部署工作的团队,可选用搭载可视化操作工具的托管式智能体服务平台。
Key Takeaways
内容总结
- Hermes Agent fits multi-agent system construction, scene requiring independent adjustment on all levels of agent running rules
Hermes Agent 适配多智能体系统搭建,以及需要自主调整智能体全层级运行规则的各类场景 - OpenClaw matches rapid deployment work and conventional automation business with low configuration demands
OpenClaw 适配快速搭建部署工作,以及配置需求较少的常规自动化业务 - The two projects form different ranges of compatible models according to interface standards
两款项目依托不同接口规范,形成差异化的模型适配范围 - The operation and maintenance state of both projects relies on community maintenance, and relevant conditions need to be confirmed before formal use
两款项目的日常运维工作均依托开源社区完成,正式投入使用前需要核实相关运维相关状态 - When infrastructure deployment consumes too much manpower, auxiliary development tools can be selected to reduce basic environment building work
基础设施部署流程占用过多人力时,可选用配套辅助开发工具,缩减基础运行环境搭建相关工作量
Hermes 彻底碾压 OpenClaw,成为打工人首选 AI 搭子
原创 Mr.K 技术领导力 2026 年 5 月 21 日 08:35 上海
当下,不少开发者逐步减少 OpenClaw(俗称"虾")的使用频次,转而选用 Hermes(俗称"马")。上周,Hermes 跻身 OpenRouter 全球应用 Token 消耗榜单首位,实现对 OpenClaw 的数据超越。短短数月时间,Agent 相关领域行业格局出现明显变动。行业发展进程中,架构设计思路、安全运行条件与项目推进效率层面的各类差异逐渐显现,相关内容可供各类 AI 工具使用者参考学习。
01 Hermes 整体运行表现
依据 OpenRouter 5 月 9 日发布的榜单信息,Hermes 单日 Token 消耗量达到 2710 亿(271B),居于全球榜单首位;OpenClaw 单日 Token 消耗量为 2450 亿,位列第二名;Kilo Code、Claude Code 单日消耗量依次为 1490 亿、792 亿,分别占据第三、第四位次。
OpenClaw 过往累计 Token 消耗数值依旧偏高,累计数值为 9.17 万亿,Hermes 累计数值为 6.35 万亿。单日榜单统计数据可以直观体现开发者新增工作任务的资源使用倾向,累计使用数值更多体现过往使用习惯,难以贴合当下行业选用趋势。
作为开源项目框架,Hermes 在 GitHub 平台收获 14 万枚星标,近一个月星标数量实现翻倍增长,项目 Fork 数量达到 21.8k,参与项目开发维护的人员规模接近千人。该项目于 2026 年 2 月 25 日正式上线,上线至今仅十周左右,便完成从起步阶段到全球 AI 模型调用量前列的发展进程。
在 Hermes 平台的模型调用排行里,榜单前五席位中有四款为国内研发模型。小米 MiMo-V2-Pro 位列榜单首位,MiniMax M2.7 位居第二,英伟达 Nemotron 3 Super 排在第三,阶跃星辰 Step 3.5 Flash 位列第四,腾讯 Hy3 preview 占据第五席位。国内研发的各类 AI 模型,为 Hermes 平台运行提供充足算力支撑,在全球智能技术应用场景中展现出稳定的运行水准。
02 Hermes 发展适配优势
梳理 Hermes 快速普及的原因,可先梳理 OpenClaw 实际运行里存在的各类问题。
小米 MiMo 大模型相关负责人罗福莉,在 2026 年中关村论坛交流活动中,针对 OpenClaw 作出客观评述。她表示,OpenClaw 的出现推动 Agent 框架设计行业完成模式革新,同时该工具在深度代码编写场景中,存在运行效率不足的情况,具体体现在对话文本窗口资源闲置、程序推演运行开支偏高等方面。
罗福莉提及的内容,仅为 OpenClaw 运行问题中的一部分,该工具在安全运行层面还存在诸多隐患。
2026 年 1 月,Argus 安全平台完成对 OpenClaw 的全面安全检测工作,检测过程中排查出 512 处程序漏洞,其中 8 处漏洞危险等级偏高。具体问题包含 OAuth 验证信息以明文文本格式储存、身份核验功能默认处于关闭状态、WebSocket 数据连接未设置访问来源核验机制等。2026 年 3 月,OpenClaw 接连出现 9 项 CVE 相关安全漏洞,其中一项漏洞风险评分达到 9.9 分,安全运行隐患较大。
专业安全机构 Koi Security 对 ClawHub 技能市场内 2857 个功能程序文件开展安全筛查,筛查后发现 341 个存在异常行为的程序文件,其中 335 个文件归属同一类网络攻击行为,该攻击行为代号定为"ClawHavoc"。这类异常程序伪装成办公常用平台的对接插件,实际用于盗取用户数字资产钱包信息以及浏览器储存的各类登录凭证。行业调研机构 Gartner 已发布相关提示内容,提醒企业用户留意 OpenClaw 使用过程中存在的网络安全隐患。
Token 资源使用额度管控失衡,也是 OpenClaw 日常运行里的常见状况。该工具依托 WebSocket 数据网关搭建运行体系,同时对接五十余个信息交互平台,整体架构布局容易形成持续性网络访问端口,数据传输流程繁琐,难以精准把控 Token 资源使用总量。除此以外,功能程序市场存在网络资源供给隐患,工具不具备长期状态留存能力,单次任务结束后运行数据全部清空,重启任务需要重新配置调试,多重问题叠加之下,不少开发者开始寻找适配度更高的替代工具。
Hermes 整体架构布局,能够对应弥补 OpenClaw 日常运行里出现的各类问题,优化调整方向分为四个层面:
第一,自主适配功能更新体系。单次任务流程里调用工具数量达到五个及以上时,Hermes 会自动开启运行复盘流程,生成可重复使用的功能程序文件,后续处理同类工作任务可直接调取使用,无需重新调试设置。平台后台搭载 Curator 自动化运行程序,每周对使用频次偏低、运行效果不佳的功能程序完成评级与内容优化。Nous Research 对外公布的实测数据显示,搭载二十个及以上自主编辑功能程序的智能运行程序,处理同类工作任务的运行速度,相较全新搭建的运行程序提升四成。
第二,长效状态留存体系。Hermes 搭建专属持续数据储存模块,不同工作任务之间的运行数据能够完整留存,改善单次任务结束后数据清空的情况,让智能程序在周期较长的工作任务中,维持连贯稳定的运行状态。
第三,独立模型适配设计。Hermes 不会绑定固定 AI 运行模型,可兼容 OpenRouter 平台内各类主流智能模型,同时适配多款国内开源智能模型。灵活的适配模式,方便使用者结合工作内容类型、项目运行开支自由更换适配模型,减少单一技术平台带来的使用限制。
第四,本地运行优先模式。Hermes 无需长期对外开启 WebSocket 数据服务端口,能够缩减网络外部访问端口数量。在各类网络安全问题频发的行业环境中,这类运行模式更贴合企业用户的使用需求。
Hermes 使用过程中存在固定使用条件,接入的智能模型需要满足 64K 对话文本窗口运行标准,未达到该标准的模型,在处理步骤繁杂的复合型工作任务时,容易出现程序静默停止运行、整体运行水准下滑等情况,使用者挑选搭配模型时,需要结合该项条件综合考量。
03 OpenClaw 与 Hermes 选用参考
结合不同实际使用场景,两款工具的选用可参考如下内容:
未曾使用过 OpenClaw 的人群,可直接上手体验 Hermes。该框架上手操作难度适中,行业交流社群氛围活跃,配套使用文档更新及时,能够对接二十类信息交互平台,可满足多数日常办公使用需求。平台内置 118 款现成功能程序,下载安装后即可投入使用,无需在各类功能程序资源池中逐一筛选适配程序。
已经依托 OpenClaw 搭建大量自定义功能程序与专属工作流程的使用者,需要核算更换工具产生的各类调整成本。Hermes 配备专属迁移指令 hermes claw migrate,能够导入 OpenClaw 原有基础配置内容,但是涉及专属平台数据对接端口的参数设置,依旧需要手动调整,各类自定义功能程序也无法完成全自动迁移。
OpenClaw 长期积累形成的应用生态具备自身优势,平台收录四万四千余款社群研发功能程序,可对接五十余个线上平台,项目收获三十七万枚 GitHub 星标。长期积攒的行业资源,短时间内难以被同类项目赶超。除此之外,英伟达 NemoClaw 企业定制版本、Hostinger、腾讯云等多个技术平台,陆续推出适配 OpenClaw 的预装运行程序,逐步简化企业端部署调试流程。已经完成内部工作流程适配的企业团队,调整更换运行框架产生的各项成本,往往高于修复现有程序漏洞产生的成本。
两类工具在行业内后续发展走向,暂无明确发展趋势。Agent 行业长期发展过程中,行业发展关注点集中在程序运行稳定程度、网络安全防护能力、Token 资源使用成本、行业资源联动效果四个维度。现阶段 Hermes 在运行稳定性、安全防护、资源管控层面表现更为平稳,不过该项目上线时长较短,行业安全技术研究领域尚未全面开展相关检测,随着使用人群不断扩充,对应程序漏洞相关数据大概率会出现增长,这也是各类线上工具发展过程中的普遍现象。OpenClaw 依托成熟的应用生态,依旧可以维持长期稳定的行业使用份额。后续能够持续完成四大应用维度优化调整的工具,会在行业竞争中占据稳定的发展空间。
结束语
各类 Agent 智能工具,能够协助使用者精简重复性工作内容,留出更多时间完成创意类工作内容。各类智能工具始终处于更新调整、市场筛选与迭代升级的发展阶段。OpenClaw 依托短期研发成型的项目雏形,带动整个 Agent 行业迎来全新发展思路;Hermes 凭借短期发展历程,印证整体架构布局对于工具市场适配度带来的影响。行业相关项目之间的良性竞争会持续推进,各类工具研发搭建的初衷,并非单纯抢占行业榜单位次,而是助力广大 AI 工具使用者合理分配时间精力,专注开展深度思考类工作。各类工具会持续完成版本迭代,而贴合实际使用需求、简化办公流程的发展方向,会始终保持不变。
reference
- OpenClaw vs. Hermes Agent: An Honest Comparison of the Two Dominant AI Agent Frameworks of 2026 · innFactory AI Consulting - AI Strategy & Consulting
https://innfactory.ai/en/blog/openclaw-vs-hermes-agent-comparison/ - Hermes Agent vs OpenClaw: Which Open-Source AI Agent Should You Use? | MindStudio
https://www.mindstudio.ai/blog/hermes-agent-vs-openclaw-comparison - Hermes 彻底碾压 OpenClaw,成为打工人首选 AI 搭子
https://mp.weixin.qq.com/s/NYTYi9ncsqiU_YL10KtRKg