ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hermes 记忆与技能系统

v1.0.0

Hermes 智能体增强系统 — 自动记忆管理、技能生成、跨会话持久化

0· 67·0 current·0 all-time
byClement Gu@clementgu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for clementgu/hermes-memory-system.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Hermes 记忆与技能系统" (clementgu/hermes-memory-system) from ClawHub.
Skill page: https://clawhub.ai/clementgu/hermes-memory-system
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install hermes-memory-system

ClawHub CLI

Package manager switcher

npx clawhub@latest install hermes-memory-system
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (memory + skill generation) align with the included files (memory config, skill generation, deployment and test docs). However there are inconsistencies: SKILL.md points to openclaw/hermes-agent-skill.git while deployment docs reference releases under 'your-org/hermes-system' and other placeholders — this mismatch suggests packaging or origin ambiguity. The code/config expect to read/write the user's OpenClaw workspace and manage skills, which is reasonable for this purpose, but some declared features (data export, webhooks, embedding APIs) introduce integrations beyond simple local memory management.
!
Instruction Scope
Runtime instructions and shipped scripts instruct the agent/operator to clone the repo, run ./scripts/deploy.sh and hermes-init/hermes-status binaries, and to copy/link files into ~/.openclaw/workspace. The config defaults enable recording 'tool calls' and 'file operations' and persisting trajectories/code cases — behavior that can capture filesystem paths, file contents, and tool usage traces. SKILL.md and scripts also recommend enabling data export and webhooks (external endpoints configurable), which could transmit collected traces externally if enabled. The deploy/start scripts assume binaries (bin/hermes-*) exist but those files are not present in the manifest, so running the provided deploy steps as-is may either fail or cause unexpected behavior if different binaries are supplied later.
Install Mechanism
This is an instruction-only skill with no packaged install spec (lowest install risk). Shipped shell scripts will copy files into the user's workspace, create symlinks, and invoke init/status binaries. The docs also contain examples of downloading a release tarball and verifying a GPG signature from GitHub, but the URLs use placeholder organizations. There is no direct download from unknown personal servers in the provided manifest, but the mismatch and placeholders mean an operator could be instructed to fetch code from a different (possibly untrusted) URL.
!
Credentials
The skill declares no required environment variables or credentials (good), but its configuration surface includes optional embedding API keys, encryption keys, webhook secrets and API keys for an HTTP API. More importantly, defaults enable recording of file operations, tool calls, and code cases — collecting those artifacts is functionally related to 'skill generation' but broad in scope and could capture sensitive local data (file paths, snippets, or secrets) unless explicitly limited. The SKILL.md does not require credentials up front, but runtime configuration would need careful hardening before enabling exports or embedding providers.
Persistence & Privilege
The skill is not marked always:true and is user-invocable (normal). It intends to persist files into the user's OpenClaw workspace and create services/binaries in that workspace during install — expected for this kind of integration. Autonomous invocation (model-invocation not disabled) is allowed by default; combined with the recording/export features this increases potential blast radius if misconfigured or if the code were replaced with a malicious binary.
What to consider before installing
This package appears to implement the claimed memory and skill-generation features, but take these precautions before installing: 1) Verify the repository origin and release artifacts (confirm the GitHub organization/owner and GPG signatures); the manifest contains inconsistent/placeholder URLs. 2) Inspect any hermes-init / bin/* binaries that the deploy scripts will invoke — they are not included in the manifest you provided; do not run deploy/init scripts until you confirm what will execute. 3) Before enabling in production, disable network exports (webhooks, data_export.sync) and set use_embedding=false until you supply and vet any embedding/encryption keys. 4) Review and narrow 'record_file_operations' / 'record_code_cases' defaults — these can capture local file paths or fragments that may be sensitive. 5) Test installation in an isolated environment (VM or container) and back up ~/.openclaw before running. 6) Prefer an official release artifact from a trusted origin (signed release) or ask the author to resolve the repo/packaging inconsistencies; if you cannot verify origin and binaries, treat the deployment scripts as potentially risky.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711ys28rf5xh4dzerx0y1v3185c5a1
67downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
Clement Gu@clementgu
latest
Download

🧠 Hermes Agent Skill

概述

将 Hermes Agent 的 Skill 自动生成 + 持久化记忆系统移植到 OpenClaw,让 OpenClaw 拥有任务复盘提炼技能和跨会话记忆的能力。

核心能力

功能描述
🧠 跨会话记忆自动同步对话、预取相关上下文,实现连续对话体验
🔧 Skill 自动生成从任务轨迹中复盘分析,自动提炼可复用的技能
🔗 无缝集成与 OpenClaw 现有体系 100% 兼容,零入侵设计
📊 数据导出将轨迹数据导出为标准化案例,支持模型优化

基准性能

指标实测值标准
sync_turn0.1ms< 500ms
prefetch3.6ms< 500ms
内存占用17.8MB< 100MB
并发处理10线程10+

安装

前提条件

  • OpenClaw 2026.4.15+
  • Python 3.9+
  • PyYAML 6.0+

通过 ClawHub 安装

clawhub install hermes-agent-skill

手动安装

# 1. 克隆项目
git clone https://github.com/openclaw/hermes-agent-skill.git
cd hermes-agent-skill

# 2. 安装依赖
pip install pyyaml

# 3. 初始化系统
./scripts/deploy.sh --workspace ~/.openclaw/workspace --environment production

配置

主配置文件

hermes:
  enabled: true
  memory:
    enabled: true
    auto_sync: true
    max_memory_size: 500
    retention_days: 30
  skill_generation:
    enabled: true
    require_approval: true
    min_trajectories: 3
  data_export:
    enabled: true
    export_dir: data/exports

环境配置

支持三种环境:

  • development — 调试模式,详细日志
  • staging — 预发布验证
  • production — 生产环境,性能优先

使用方法

初始化系统

hermes-init --workspace ~/.openclaw/workspace --config hermes.yaml --environment production

检查系统状态

hermes-status --health

在 OpenClaw 配置文件启用

# ~/.openclaw/config.yaml
skills:
  hermes-agent-skill: true

hermes:
  enabled: true
  memory:
    auto_sync: true

版本历史

详见 CHANGELOG.md

版本日期说明
1.0.02026-04-23初始版本:记忆系统 + Skill 生成 + 兼容性层

开发

本地开发

# 安装开发依赖
pip install pyyaml psutil pytest

# 运行测试
python3 tests/test_memory.py
python3 tests/test_skill_generation.py
python3 tests/test_compatibility.py
python3 tests/test_performance.py
python3 tests/test_integration.py

发布新版本

# 1. 更新版本号
echo "1.1.0" > VERSION

# 2. 更新变更日志
vim CHANGELOG.md

# 3. 发布到 ClawHub
clawhub publish ./hermes-agent-skill --slug hermes-agent-skill \
  --name "Hermes Agent Skill" \
  --version $(cat VERSION) \
  --changelog "$(head -3 CHANGELOG.md)"

许可

MIT License

由 OpenClaw 社区维护 | 报告问题

Comments

Loading comments...