AI agents run on your server, access your tools, read your data, and execute commands on your behalf. When they work, they're powerful. When they're compromised, they have the keys to everything. The AI agent security landscape in 2026 is concerning — malicious skills, exposed servers, and a critical CVE have already affected hundreds of thousands of users.
This guide covers the real risks, what's happened so far, and how to protect yourself whether you're running Hermes Agent, OpenClaw, or any self-hosted AI framework.
Key Takeaway
The biggest risk isn't the agent itself — it's the skills/plugins you install and the infrastructure you run it on. Audit every third-party skill, don't expose ports to the internet without authentication, and never give agents access to production systems without review.
What Security Incidents Have Already Happened?
Three significant events define the current threat landscape:
OpenClaw's malicious skill campaign: A Koi Security audit of 2,857 ClawHub skills found 341 malicious entries — 335 tied to a single coordinated campaign. These skills performed data exfiltration and prompt injection without users' knowledge. The Chinese government banned OpenClaw from state-owned company computers in March 2026.
CVE-2026-25253: A critical vulnerability in OpenClaw with a CVSS score of 8.8 (high severity). SecurityScorecard reported tens of thousands of publicly exposed OpenClaw instances — servers running the agent framework with open ports accessible from the internet.
Anthropic usage restrictions: Anthropic changed how third-party agents can authenticate with Claude subscriptions, creating uncertainty for anyone running Claude through agent frameworks. This isn't a security incident per se, but it disrupted the operational model many agent users relied on.
How Does Hermes Agent Handle Security?
Hermes takes a more conservative approach than OpenClaw, with several security features built into the architecture:
| Security Feature | Hermes Agent | OpenClaw |
|---|---|---|
| Container hardening | Yes — read-only root, dropped capabilities | Optional, not default |
| Namespace isolation | Yes | Limited |
| Pre-execution scanning | Yes — scans terminal commands before running | No |
| Filesystem checkpoints | Yes — can rollback changes | No |
| Skill marketplace audit | Smaller ecosystem, less exposure | 13,700+ skills, 341 found malicious |
| Known CVEs | 0 (as of May 2026) | CVE-2026-25253 (CVSS 8.8) |
💡 Honest Caveat
Hermes's zero-CVE record reflects limited deployment exposure (launched February 2026), not proven invulnerability. OpenClaw has been deployed at far greater scale for longer — more deployment means more discovered vulnerabilities. Both frameworks require security review before production use.
📬 Getting value from this? We publish weekly on AI security and tools. Get it in your inbox →
---How Do You Secure a Self-Hosted AI Agent?
Whether you're running Hermes, OpenClaw, or any other agent framework, these principles apply:
1. Never expose ports to the public internet. Run the agent behind a VPN or use SSH tunnels. The tens of thousands of exposed OpenClaw instances were found because people ran the agent on public IPs with open ports.
2. Audit every third-party skill before installing. Read the code. Check what permissions it requests. Look at who published it and when. 335 malicious skills in one campaign means skill marketplaces are an active attack surface.
3. Run with minimal permissions. Don't give the agent root access. Don't connect it to production databases. Use read-only access wherever possible. The principle of least privilege applies to AI agents just like human users.
4. Enable container isolation. Hermes supports Docker containers with read-only root filesystems and dropped capabilities. Use them. If the agent is compromised, containerization limits the blast radius.
5. Monitor API costs for anomalies. A compromised agent running expensive API calls can rack up thousands in charges. Set spending limits on your LLM provider accounts and monitor for unusual spikes.
6. Keep the agent updated. Both Hermes and OpenClaw are actively developed. Security patches ship regularly. Run the latest version and subscribe to security advisories.
Should You Trust AI Agents with Sensitive Data?
The honest answer: not yet, for most use cases. AI agents in 2026 are powerful but the security ecosystem is immature. The Stanford HAI AI Index 2026 reports that agents succeed roughly two out of three times on structured benchmarks — a 33% failure rate is too high for sensitive operations.
Use agents for tasks where mistakes are reversible and the data isn't confidential. Research, scheduling, communication drafts, data analysis on non-sensitive datasets — these are appropriate. Financial transactions, medical decisions, legal actions, and anything involving customer PII should have human review before execution.
For more on how AI agents work and their current limitations, see our complete guide. For privacy-focused AI tool comparisons, check our AI privacy guide.
---📬 Want more like this? AI security updates and tool reviews, weekly. Subscribe free →
---Frequently Asked Questions
Is Hermes Agent safer than OpenClaw?
Hermes has more conservative security defaults and zero CVEs, but it's also younger and less battle-tested. Neither framework should be considered secure without your own security review. Choose based on your use case, not security claims alone.
Can AI agents be hacked through prompt injection?
Yes. Prompt injection — where malicious content in a document or message tricks the agent into executing unintended actions — is an active risk for all AI agent frameworks. The pre-execution scanner in Hermes helps but isn't foolproof.
Should I run AI agents on my personal computer?
For testing and light use, yes. For always-on production use, a VPS is recommended — it isolates the agent from your personal data and provides more controlled access. Never run an agent on a machine with sensitive personal or financial data without containerization.
Disclosure: Some links in this article are affiliate links. We only recommend tools we've personally tested and use regularly. See our full disclosure policy.