Is sandboxing required?

Strongly recommended. Without sandboxing, Hermes has the same file and network access as your user account.

Can Hermes access my SSH keys?

By default, yes. Add `~/.ssh` to blocked_paths to prevent access. Same for AWS credentials and GPG keys.

How do I know if there's a prompt injection attempt?

Enable audit logging. Injection patterns are logged when detected. Memory writes with suspicious content are blocked.

Security Hardening — Protect Your Hermes Agent Installation

Hermes executes code on your machine. Security isn't optional. This guide covers sandboxing, secret management, permission controls, and prompt injection defenses.

Execution Sandboxing

Limit what Hermes can do:

# config.yaml
security:
  sandbox:
    enabled: true
    mode: docker  # or 'firejail', 'bubblewrap'

Sandbox Modes

Mode	Platform	Isolation
docker	All	Container isolation
firejail	Linux	Process sandboxing
bubblewrap	Linux	Lightweight containers
none	All	No isolation (risky)

Docker Sandbox Config

security:
  sandbox:
    docker:
      image: hermes-sandbox:latest
      network: none  # No network access
      memory_limit: 2g
      cpu_limit: 2
      readonly_paths:
        - /etc
        - /usr
      writable_paths:
        - /home/user/projects

Secret Management

Never store secrets in config.yaml. Use environment variables:

# ~/.hermes/.env
OPENAI_API_KEY=sk-xxx
ANTHROPIC_API_KEY=sk-ant-xxx
TELEGRAM_BOT_TOKEN=123456:ABC-xxx

Secret Scanning

Hermes scans agent outputs for leaked secrets:

security:
  secret_scanning:
    enabled: true
    patterns:
      - 'sk-[a-zA-Z0-9]{48}'  # OpenAI
      - 'sk-ant-[a-zA-Z0-9-]+' # Anthropic
      - 'ghp_[a-zA-Z0-9]{36}'  # GitHub

Matched patterns are redacted before display.

Permission Controls

File Access

security:
  file_access:
    allowed_paths:
      - ~/projects
      - /tmp/hermes
    blocked_paths:
      - ~/.ssh
      - ~/.aws
      - ~/.gnupg

Command Execution

security:
  commands:
    blocked:
      - rm -rf /
      - sudo rm
      - chmod 777
      - curl | bash
    require_confirmation:
      - git push --force
      - docker system prune
      - npm publish

Network Access

security:
  network:
    allowed_domains:
      - api.openai.com
      - api.anthropic.com
      - github.com
    blocked_domains:
      - '*.ru'
      - '*.cn'

Prompt Injection Defenses

Memory Injection Protection

Memory writes are scanned for injection patterns:

security:
  injection_protection:
    enabled: true
    scan_memory_writes: true
    strip_unicode_control: true  # Remove invisible characters

Input Sanitization

security:
  input_sanitization:
    max_message_length: 10000
    strip_html: true
    escape_markdown: false

Rate Limiting

Prevent abuse and cost overruns:

security:
  rate_limits:
    requests_per_minute: 30
    tokens_per_hour: 100000
    tools_per_message: 10

Audit Logging

Log all agent actions:

security:
  audit:
    enabled: true
    log_file: ~/.hermes/audit.log
    include:
      - tool_calls
      - file_access
      - command_execution
      - api_requests

Audit log format:

{"timestamp": "2026-04-22T10:30:00Z", "action": "file_write", "path": "/home/user/project/main.py", "size": 1234}

Multi-User Deployments

For shared servers:

security:
  multi_user:
    isolate_sessions: true
    per_user_quotas:
      tokens_per_day: 50000
    user_directories:
      pattern: /home/{user}/hermes

Security Checklist

Enable sandboxing (sandbox.enabled: true)
Move secrets to .env file
Block sensitive paths (~/.ssh, ~/.aws)
Enable secret scanning
Set rate limits
Enable audit logging
Review blocked commands list
Test injection defenses

Security Hardening for Hermes Agent