XDA Developers’ lead technical editor Adam Conway published a hands-on comparison of OpenClaw and Hermes Agent on May 19, and the conclusion is blunt: “Hermes Agent gets a lot right, and it’s something I’d trust a lot more than OpenClaw.” The article is the most detailed editorial treatment yet of how the two dominant open-source agent frameworks handle the thing that actually matters when you give software persistent access to your accounts: whether the project treats security as a starting constraint or a bug class to triage later.

The Policy Gap

Conway’s central argument is structural, not about any single vulnerability. OpenClaw’s security documentation, according to his analysis, spends most of its space declaring what is out of scope: multi-tenant adversarial use, session identifiers as authorization tokens, exec approvals as containment boundaries. The project’s own SECURITY.md history, Conway notes, is “dozens of ‘scope X as hardening-only’ commits added after the disclosures.”

Hermes Agent’s security documentation takes the opposite approach. It opens with a single sentence Conway calls “more useful than anything in the OpenClaw repo”: the only security boundary against an adversarial LLM is the operating system. From there, Hermes provides seven defense-in-depth layers, an explicit isolation comparison across terminal backends, and a clear statement that the local backend offers no host isolation.

The practical difference shows up in a scenario Conway walks through: a home server running an agent, shared between two people via their phones, connected to Google and GitHub. Under OpenClaw’s documented policy, anyone who reaches the gateway is a trusted operator on every connected service. Under Hermes, platform identity through Telegram or Discord, expiring DM pairing codes, and admin-versus-regular role tiers provide layers that OpenClaw scopes out of its threat model entirely. Neither project solves per-user RBAC inside the agent. Hermes documents and configures the layers above the OS boundary; OpenClaw declares them out of scope.

Defaults Shape Deployments

Conway’s second argument is about defaults. OpenClaw’s UI historically made connecting services easy and its documentation encouraged broad integration. The result, according to innFactory’s neutral architectural comparison published May 18, is a framework organized around a central WebSocket gateway connecting to more than 50 messaging platforms and a skill marketplace (ClawHub) hosting over 44,000 community-built skill files. The bet is that an agent is most valuable when it can reach everything.

Hermes deliberately supports fewer integrations (20 messaging platforms) and makes “command approval, DM pairing, container isolation” the default configuration rather than an advanced hardening step. Conway’s own deployment reflects this philosophy: no email, no calendar, no production credentials, running in an LXC on a firewalled VLAN. “If somebody compromises the LLM,” he writes, “there’s nothing important they suddenly gain access to.”

The skill systems diverge in the same direction. ClawHub became a marketplace where third-party skills grew dangerous enough that OpenClaw partnered with VirusTotal to screen malicious uploads. Hermes flips the default: the agent writes its own skills after completing non-trivial tasks, storing structured documents that the operator can read, edit, or delete. Conway reports that his daily news workflow has been iteratively improved by the model itself based on his feedback, with every skill file fully auditable.

The Competitive Context

The editorial lands at a moment when Hermes is gaining ground across multiple metrics. TechTimes reported on May 15 that Hermes surpassed OpenClaw on OpenRouter’s daily inference rankings on May 10, processing 224 billion tokens against OpenClaw’s 186 billion. OpenClaw still leads the cumulative all-time chart (9.17 trillion vs. 6.35 trillion), but the daily figure indicates where developers are putting new workloads.

NCT’s own coverage has tracked this trajectory. OpenClaw’s five-point security roadmap, published May 12, represents genuine movement: filesystem boundaries (fs-safe), network egress controls (Proxyline), ClawHub trust tiers, contextual command approvals, and OpenGrep static analysis. The question Conway raises is whether retrofitting security onto a codebase whose creator told Pragmatic Engineer “I ship code I don’t read” can close the trust gap with a project that started from the opposite premise.

What Conway Gets Right (and What He Leaves Out)

Conway is careful to note that Hermes “isn’t ‘secure’ in the sense that it mitigates every problem OpenClaw had.” Prompt injection remains unsolved in both projects. A well-engineered framework is not a well-configured deployment. The article avoids the trap of declaring Hermes a complete solution and instead frames the choice as: which project’s defaults and documentation steer users toward safer deployments?

What the piece does not address is scale. OpenClaw’s 50+ platform integrations, 44,000+ ClawHub skills, and 370,000+ GitHub stars represent an ecosystem Hermes has not replicated. For operators who need breadth of connectivity, OpenClaw’s architecture remains unmatched. The trust question Conway raises is real, but so is the integration question he mostly ignores.

The agent framework race in May 2026 is no longer a single-axis competition on capability or star count. It is splitting into at least two races: one on reach and ecosystem, where OpenClaw leads, and one on security posture and operational trust, where Hermes is pulling ahead. Conway’s editorial is the clearest articulation yet of why builders are choosing sides.