Cato CTRL™ Insights: Governing Hermes Agent, Security for AI That Learns, Remembers, and Acts

Agentic AI is evolving from assistants that answer questions into systems that can remember, use tools, call APIs, interact with SaaS applications, and improve over time. Hermes Agent, developed by Nous Research, reflects this shift as a self-improving agent that can create skills, persist knowledge, and build context across sessions., reflects this shift as a self-improving agent that can create skills, persist knowledge, and build context across sessions.

Cato SASE Cloud platform insights show that Hermes agent adoption is already taking shape inside enterprise workflows, with GitHub representing the dominant third-party integration and Google Workspace showing early signs of broader productivity use. To help customers identify and govern this emerging activity, Cato has added Hermes Agent to the Cato App Catalog and AI Security discovery, and can surface Remote Port Forwarding posture insights for overly permissive exposure of AI-related services.

What is Hermes Agent, and Why Do Self-Improving Agents Matter?

Hermes Agent is an open-source autonomous AI agent built by Nous Research. It combines a conversational interface, persistent memory, tool use, integrations, reusable skills, an OpenAI-compatible API server, and a local web dashboard for configuration and monitoring. In that sense, Hermes is more than a chatbot. Rather, it is a self-improving agent designed to learn from experience, retain useful context, refine skills, and optimize repeated workflows over time.

This makes Hermes valuable for developers and automation-heavy teams that repeatedly inspect repositories, summarize pull requests, query documentation, open tickets, or interact with tools such as GitHub and Google Workspace. But the same behavior also increases security risk. Hermes may retain, reuse, and act on data across sessions. But because self-improving agents can retain context and reuse it across workflows, they also require governance over what they learn, what they store, and which tools they can access.

Hermes Agent vs. OpenClaw: Similar Risk Pattern, Different Agent Model

Hermes Agent and OpenClaw both belong to the emerging class of agentic AI systems that connect language models to tools, workflows, and operational environments. In both cases, the security concern shifts from “AI that answers” to “AI that acts,” where prompts can potentially trigger file access, API calls, browser actions, messages, or infrastructure changes.

The key difference is that Hermes adds a self-improving layer. While OpenClaw highlights the risk of autonomous action, Hermes highlights autonomous action combined with persistent learning. It can create and refine skills, remember context, search past conversations, and build continuity across sessions. This makes it more useful over time, but also allows it to accumulate more context, permissions, integrations, and implicit trust.

Cato SASE Cloud Platform Insights: Hermes Integration Patterns

In Figure 1, we show the distribution of third-party applications that we observed accessed via Hermes Agent. GitHub accounts for more than 81% of observed third-party session hits, suggesting that software engineering teams are the clear early adopters. This points to workflow-integrated use cases such as code review, repository automation, pull request workflows, and issue analysis.

Beyond GitHub, Google Workspace activity suggests Hermes is beginning to expand into broader collaboration and productivity workflows, while Reddit and Quora indicate research and intelligence-gathering use cases. OpenRouter activity points to a more advanced AI-engineering segment using Hermes with multi-LLM routing. Together, these patterns show a familiar adoption curve: developers first, AI practitioners next, and enterprise collaboration teams following.

Figure 1. Third-Party Apps Accessed via Hermes Agent

The Hermes Agent Attack Surface

Hermes Agent is more than a standalone application. It is an agentic runtime that can store memory, use tools, expose APIs, and connect to third-party services. This creates several key risk areas:

• Local web dashboard exposure: The dashboard binds to 127.0.0.1 by default, but if exposed through 0.0.0.0, Docker port mapping, or a reachable host, it may become accessible from the network or internet. This is sensitive because the dashboard reads and writes the .env file and has no built-in authentication.
• Gateway/API server on port 8642: Port 8642 exposes Hermes’ OpenAI-compatible gateway API server and health endpoint. If broadly exposed, it can become a control point into an agent connected to tools, memory, workflows, or enterprise applications.
• Secrets and environment files: Hermes relies on configuration files such as .env, which may contain API keys, model tokens, SaaS credentials, or integration secrets. Exposure can lead not only to credential theft, but also to unauthorized actions across connected systems.
• Tool and integration abuse: Hermes can interact with tools and services. A malicious prompt, poisoned memory item, compromised repository, risky web page, or exposed API endpoint could influence agent behavior and trigger file access, API calls, data movement, or SaaS interactions.
• Persistent memory and skill poisoning: Because Hermes can learn across sessions, risk may persist beyond a single interaction. Malicious instructions could be stored as memory, unsafe assumptions could be embedded into generated skills, or repeated workflows could continue sending sensitive data to the wrong destination.

This is why Hermes governance needs more than one-time app detection. Security teams need visibility into exposed ports, connected tools, SaaS activity, credentials, memory behavior, and repeated data movement patterns.

Why This Matters for Enterprise Security

Agentic AI blurs traditional security boundaries. A user may think they are interacting with a local assistant, while that assistant may also be connected to SaaS apps, local files, cloud APIs, source-code repositories, messaging platforms, model providers, internal tools, and secrets.

This creates a new governance requirement, security teams need visibility not only into which AI apps are being used, but also which users are using them, which tools they invoke, which third-party services they access, whether sensitive data is shared, whether downloads occur, and whether exposed ports create reachable control planes.

Governing Hermes Agent with Cato

With Hermes Agent added to the Cato App Catalog, customers can detect or block Hermes downloads through application, web, and traffic visibility, helping identify early adoption or unmanaged installation attempts. Cato Scout discovery can also help identify Hermes usage across the organization, while inline traffic inspection can provide visibility into the third-party services Hermes accesses, such as developer, productivity, or collaboration platforms.

When Hermes Agent connects to supported third-party AI services, Cato AI Security can help detect and control PII exposure in visible AI interactions that pass through Cato-supported inspection or integration paths. For self-hosted deployments, Remote Port Forwarding posture insights can help proactively flag overly permissive exposure of AI-related services, including sensitive agent ports such as 8642 or 9119, because a reachable agent interface can become a reachable automation interface.

Self-Improving Agents Need Continuous Governance

Hermes Agent shows where agentic AI is heading, systems that do not just answer questions, but remember, learn, create skills, use tools, and operate across enterprise workflows. Cato SASE Cloud platform insights already show this adoption pattern forming, with GitHub dominating third-party Hermes activity and Google Workspace indicating early expansion into broader productivity workflows.

The lesson from OpenClaw still applies, when AI can act, governance becomes mandatory, Hermes extends this further because it can also learn and persist. With Hermes Agent in the Cato App Catalog, Scout discovery, inline inspection of its third-party integrations, and Remote Port Forwarding posture insights for overly permissive AI-service exposure, Cato helps customers identify and govern this emerging agentic AI risk without blocking innovation blindly.