Hermes
Layered Persistent Memory · Deep-Dive DD-08 · Course 1
60 minutes · 33,000+ stars · The depth play · The memory reference
Self-evolving skills that compound across sessions. The system that overtook OpenClaw on OpenRouter (May 10, 2026, 224B tokens/day). On the breadth-vs-depth split, this is unambiguously the depth competitor.
Deep-Dives · The Harness Roster
The thesis — depth as a switching cost
BREADTH (OpenClaw, DD-07)
Be everywhere an enterprise communicates. 40+ channels. Reach is the value.
DEPTH (Hermes)
Be smarter every time you use it. Self-evolving skills that compound. Memory depth is the value.
Breadth is reproducible; a compounding memory is not. A competitor can add channels. A competitor cannot reproduce each user's accumulated skill store — that store encodes a specific history. The hermes claw migrate command is the market expression: depth makes reach obsolete.
The self-evolving skill model
STEP 1
Birth
Agent encounters a non-trivial procedure (auth dance, ticket-filing sequence). Writes it as a skill to the persistent store.
STEP 2
Retrieval
Future session faces a similar task. Skill retrieved by semantic match and injected into context. Agent invokes, not rediscovers.
STEP 3
Compounding
Each retrieval-and-use reinforces. The store grows monotonically richer. Each session leaves the agent more capable.
Working files (tier 2) are static. A semantic store (tier 3) retrieves but does not evolve. Hermes's skill store retrieves and evolves — the only harness in the roster at Module 4 tier 4 with write-back.
Why Hermes is the Module 4 reference
| Memory tier | What it does | Who in the roster |
| 1. In-context | Context window | everyone |
| 2. Working files | Static read/write | most harnesses |
| 3. Semantic store | Retrieves prior context | several |
| 4. Episodic log | Records what happened | a few (read-only) |
| 4. Episodic + write-back | Curates into skills, re-injects | Hermes only |
| 5. Structured DB | Persistent queryable store | Hermes + a few |
The differentiator is tier 4 with write-back: the episodic record is not just logged but curated into skills and re-injected. This is the 5/5 on Module 4 and the load-bearing reason Hermes is the reference.
The memory-poisoning surface — depth is risk
A poisoned WORKING FILE
Read when the task references it. If the task is one-off, read once. Activation surface: a single file path.
A poisoned SKILL
Retrieved on every similar future task. Activation surface: the entire task space the skill plausibly covers. Half-life: effectively unbounded.
The compounding that makes skills valuable is the same compounding that makes poisoning dangerous. A poisoned skill does not decay — it accrues invocations. Each retrieval is an opportunity for the payload to refine, spread, or escalate. This is the strongest argument in the course for Module 4.3's write-gating defense.
Model-initiated writes — the feature IS the vulnerability
The feature
The agent writes skills freely, no gate. This is what makes compounding possible at all — the agent learns from every session without throttle.
The vulnerability
The agent writes skills freely, no gate. A prompt-injected model persists a poisoned skill that compounds across all future sessions. Same decision, read from two sides.
This is not an oversight. A harness-managed write gate (the NemoClaw fix) throttles the write rate — model proposes, harness validates, some proposals rejected. That throttle is the security gain AND a capability tax. Hermes chose the capability over the safety. The poisoning surface is the price of the compounding.
The NemoClaw fix — harness-managed writes
Hermes (DD-08)
Model decides → write to store. No gate. Poisoned skill persists and compounds.
NemoClaw (DD-09)
Model proposes → harness validates → write. Provenance, schema, taint check. Poisoned skill rejected at the gate.
The gate is the single highest-value fix. It converts the compounding-poisoning surface into a compounding-capability surface with the risk closed. The depth-vs-governance contrast between Hermes and NemoClaw is load-bearing for the roster — depth funds capability, governance funds safety.
The score profile — 36/60, depth-specialist shape
| Module | Score | Key decision |
| 4 Memory | 5/5 | All 5 tiers; self-evolving episodic store (reference) |
| 1 Loop | 4/5 | standard ReAct, memory-augmented |
| 2 Tools | 4/5 | memory-aware tool surface |
| 3 Context | 4/5 | memory-augmented context management |
| 12 Prompt | 4/5 | ~5k, memory-aware |
| 5 Sandbox | 2/5 | no container; blast radius is the host |
| 6 Permission | 2/5 | model-initiated writes (the poisoning surface) |
| 9 Verification | 2/5 | limited |
| TOTAL | 36/60 | depth-specialist: max on one axis, below median on safety |
Read the score as a profile, not a ranking. A depth-specialist funds depth by sacrificing safety. The 5/5 on Module 4 and the 2/5 on Modules 5/6 are the same design decision read from two sides.
Anti-patterns
Treating the skill store as a pure feature. It is the feature AND the vulnerability. The same model-initiated write that compounds capability compounds poisoning. Read the skill store as a poisoning surface first when doing security architecture.
Assuming a poisoned skill decays. It does not — it accrues invocations. No TTL, no session boundary clears it. Cure: treat any injection reaching the write path as a persistent compromise requiring a skill-store audit, not a session restart.
Building security-critical work on Hermes without write gating. The value proposition is compounding; the tax is the poisoning surface. Add the NemoClaw-style gate before deploying in any context that cannot tolerate a persistent compromise.
What you can now do
- Articulate the depth play — why a compounding memory is a switching cost breadth cannot reproduce.
- Describe the self-evolving skill model: birth, retrieval, compounding — the deepest memory implementation in the roster.
- Score Hermes 36/60 and defend the shape: 5/5 on Module 4, 2/5 on Modules 5 and 6, and why the same decision produces both.
- Explain why poisoning compounds here specifically and why model-initiated writes are both the feature and the vulnerability.
- Specify the NemoClaw-style harness-managed write gate that closes the poisoning surface.
The lab: simulate a Hermes-style skill store, inject a poisoned skill via an indirect injection, observe the compounding damage across simulated future sessions, then add the write gate and confirm the poisoned skill is rejected.
Next: DD-09 — NemoClaw: The governance-focused harness (the anti-Hermes)