OpenClaw made it normal to drop a stranger's SKILL.md into your agent — and the security bill came due fast. Here's why I prefer Nous Research's Hermes Agent, which writes, refines, and prunes its own skills instead of trusting a marketplace.
The fastest way to give an AI agent a new capability in 2026 is also the most dangerous: you find a skill someone else wrote, drop the SKILL.md into a folder, and your agent suddenly knows how to do a thing. No build step, no review, no real idea what those Markdown instructions tell your agent to do behind the scenes. OpenClaw — Peter Steinberger's wildly popular local-first agent that went viral in January 2026 — made this the default mental model for a whole generation of agent users. And that convenience is exactly the problem.
The skills supply chain came due fast
When anyone can publish a skill and anyone can install one, "skills" stops being a feature and starts being an attack surface. The numbers are not subtle. In February 2026, Snyk's ToxicSkills research scanned 3,984 agent skills published to community registries like ClawHub and skills.sh. The findings: 36% contained prompt-injection vulnerabilities, 534 skills (13.4%) shipped at least one critical security issue, and researchers confirmed 76 outright malicious payloads — some still publicly downloadable at the time of writing.
What does the bar to publish one of these look like? Per Snyk, all you needed to ship a skill to ClawHub was "a SKILL.md Markdown file and a GitHub account that's one week old." The malicious ones weren't subtle either: they distributed malware inside password-protected ZIPs to dodge scanners, exfiltrated AWS keys with base64- and Unicode-obfuscated commands, and instructed agents to disable their own safety settings. Cisco's AI security team had already caught a third-party OpenClaw skill performing silent data exfiltration and prompt injection back on January 28, 2026 — well before the wider ecosystem caught up.
The structural flaw is the trust model. A skill is just natural-language instructions your agent executes with your file system, your shell, and your credentials. When those instructions come from a stranger's repo, "installing a skill" is functionally "running untrusted code as yourself." OpenClaw's openness is genuinely great for adoption — it's a big reason it crossed a quarter-million GitHub stars in weeks — but openness and a vetting-free marketplace are not the same thing.
The alternative: an agent that writes its own skills
This is where Hermes Agent from Nous Research changed how I think about the problem. It's also open source (MIT), also local-first and always-on — but its skill model is inverted. Instead of importing capabilities from other people, Hermes grows its own.
Hermes runs what it calls a closed learning loop: after a complex task, it can author a new skill from what it just did, then refine that skill during subsequent uses. The self-evolution machinery is built on DSPy + GEPA (a genetic-Pareto approach to prompt and skill optimization), so improvement happens through evaluated iteration rather than a one-time copy-paste. Critically, no model training or GPU is required — it mutates and scores text via ordinary API calls.
The part that sold me, though, is the autonomous Curator. Hermes doesn't just accumulate skills until the library turns into a junk drawer. The Curator periodically grades the skills it has, consolidates overlapping ones into a single better skill, and prunes the ones that aren't earning their keep. That's the maintenance behavior I'd otherwise have to do by hand — and it's the behavior almost nobody actually does by hand. An agent that gardens its own capabilities is a fundamentally different safety story than one that hoards whatever the internet handed it.
To be clear about the trade-off: a self-grown skill library starts slower. You don't get an instant catalog of a thousand community skills. But everything in it came from your agent's real work in your environment, which means you're growing trust instead of importing it. For an always-on assistant that lives on your machine, talks to you over the messaging apps you already use, and compounds its usefulness over months, I'll take the slower, safer curve.
Hermes vs OpenClaw, head to head
Skills & security. OpenClaw's strength is a huge, instantly available marketplace of community SKILL.md files — and that marketplace is precisely what ToxicSkills and Cisco showed to be compromised. Hermes' self-evolved, self-curated library trades breadth for provenance. Different philosophies; only one of them has a 36%-prompt-injection problem.
Applications. Both shine as persistent, always-on personal agents — wire them to Slack, Signal, Telegram or WhatsApp and let them run shell commands, drive a browser, manage files and calendars on a heartbeat schedule. The difference is what happens over time: OpenClaw's competence is roughly the skills you've installed, while Hermes' competence is supposed to compound as it builds and refines skills around your specific recurring work. For a long-lived assistant, that compounding is the whole game.
Providers & subscriptions. Hermes is refreshingly un-opinionated about models, supporting 60+ providers (Nous Portal, OpenRouter, OpenAI, Anthropic, Google, xAI, Bedrock, plus local Ollama/vLLM/llama.cpp). One nice perk worth calling out: you can authenticate OpenAI via the Codex OAuth device flow, which lets you ride your existing Codex/ChatGPT allowance instead of paying per token on an API key.
And now the wart — because an honest comparison includes the broken bits. Using a Claude subscription with Hermes is effectively broken right now. Per the project's own provider docs and a stack of open GitHub issues, Claude Pro isn't supported for OAuth at all, and Claude Max "only works if you're on a Claude Max plan and have purchased extra usage credits" — your base subscription allowance isn't consumed. Worse, there's a live bug where the presence of a tools parameter trips an HTTP 400, and fresh subscribers hit "you're out of extra usage" on their very first turn. The pay-per-token Anthropic API key still works fine; it's specifically the subscription path that falls over.
There's a delicious bit of irony stacked on top of that. Anthropic's trademark complaint is what forced OpenClaw's awkward "Moltbot" rename earlier this year, and Anthropic's OAuth routing is what cripples Claude subscriptions inside Hermes — while OpenAI's Codex OAuth just works, and Steinberger, OpenClaw's own creator, went to OpenAI in February. Make of that what you will.
The verdict
If your priority is the largest possible catalog of ready-made capabilities today, OpenClaw wins on sheer momentum — just understand that you're opting into a supply chain that has already been demonstrably poisoned, and budget real effort for vetting every skill you install. For me, the more defensible long-term model is an agent that writes, evaluates, consolidates, and prunes its own skills, so trust grows out of your own usage rather than a stranger's repo. Hermes' self-evolving Curator-managed library is that model.
The one caveat I'd hand anyone before they install it: if you're planning to run it on a Claude subscription, don't — bring an API key or point it at OpenAI's Codex login until Nous fixes the OAuth routing. Everything else about the "agent that grows with you" pitch holds up.