Repello AI published an enterprise threat model for Hermes Agent on May 2, identifying persistent memory as “the largest unbounded attack surface” the firm has seen ship on a developer workstation. The analysis maps four systemic threat classes that standard endpoint detection and response tools miss entirely, according to Repello AI.

Hermes Agent, released by Nous Research in February 2026, has accumulated 110,000 GitHub stars in ten weeks. Its core architectural differentiator is a persistent memory layer backed by SQLite and FTS5 full-text search. The agent accumulates experience across sessions, builds a model of how users work, and writes its own skill files from completed tasks. That same memory layer is what Repello identifies as the primary novel attack surface.

Nine CVEs in Four Days

Between March 11 and March 15, 2026, nine CVEs were disclosed against Hermes Agent across two coordinated advisories, according to Repello. The most severe was a CVSS 9.9 critical skill manifest remote code execution enabling install-time sandbox escape. Two additional CVEs scored CVSS 8.6 for memory injection through retrieved context, a Hermes-specific attack class.

The most recently published CVE is CVE-2026-7396, a path traversal in the WeChat Work platform adapter affecting hermes-agent version 0.8.0, disclosed April 29 on the CVE Database.

Repello’s core argument is that the disclosed CVEs are not the primary risk. “The bulk of enterprise risk does not live in the disclosed CVEs. It lives in the architecture itself,” the threat model states.

Four Threat Classes

Repello ranks four enterprise threat classes by severity:

Skill marketplace supply chain. Hermes installs skills from a growing community marketplace using the same trust pattern as ClawHub: publisher signs a manifest, user installs, runtime grants broad capability. A supply chain audit of ClawHub found 341 malicious skills across 2,857 entries, a 12% malware rate, according to Repello. Hermes’ marketplace is smaller but follows the identical trust model.

Memory injection through retrieved context. This is the Hermes-specific class. An attacker who can write into the agent’s memory store through a shared document, forwarded email, web page, or Slack message plants instructions that the agent retrieves and executes on a future turn. Traditional prompt injection defenses watch user-turn input. Memory retrieval bypasses that surface entirely. The project itself tracks this concern publicly under GitHub issue #496 (Promptware Defense / context-window hardening).

Multi-provider credential surfaces. Hermes’ dependencies include OpenAI and Anthropic SDKs plus integrations across multiple providers. Every workstation running the agent holds long-lived API keys accessible to any process running as the user.

MCP server trust boundary. Every MCP server the agent connects to expands the trust boundary. The protocol does not enforce authentication or capability scoping by default.

Standard Endpoint Detection Fails

Repello’s comparison table illustrates why existing security stacks miss workstation agent attacks. Standard EDR sees a signed Python process making HTTPS calls. It does not see whether the skill being executed is malicious, whether prompts are attacker-controlled, whether memory retrievals contain injected instructions, or whether data exfiltration is routed through a legitimate LLM provider API.

“Workstation agents need a prompt-layer security stack, parallel to the process-layer stack you already have,” Repello states. “That stack didn’t exist as a category until 2026.”

Architectural Comparison

The threat model positions Hermes between Claude Code and OpenClaw on total attack surface. Claude Code carries the lowest risk due to Anthropic’s scoped design and human-in-the-loop write approvals. OpenClaw carries the highest risk because of ClawHub’s 12% malware rate across audited skills, according to the analysis. Hermes sits in the middle on surface area but “uniquely high on subtle attack surface” because of the persistent memory layer.

Developer Sathish Raju, who documented his migration from OpenClaw to Hermes, noted the same architectural tradeoff: Hermes’ self-learning memory loop is “the killer feature” but requires explicit enablement and presents security implications that OpenClaw’s stateless per-skill model avoids, according to his analysis on Medium.

The Pattern Across Agent Frameworks

The Repello analysis reinforces what the broader CVE velocity across workstation agents has shown through early 2026: the most severe security issues exploit the agent’s defining capabilities, not its implementation bugs. Skill marketplaces, persistent memory, multi-provider integrations, and MCP connections are the features that make agents useful. They are also the features that make agents attackable. Patching individual CVEs does not address the architectural exposure.

Nous Research tracks the promptware defense concern openly under issue #496 on the Hermes Agent GitHub repository, suggesting awareness of the memory-layer risk ahead of any specific exploit landing in the wild.