In the first half of 2026, three open-source projects turned the "personal AI agent" from a demo into something running on real laptops and phones inside real businesses: OpenClaw, Hermes, and NanoClaw. Unlike a chatbot that only returns text, these agents read your messages, run commands, browse the web, remember what you tell them, and act on a schedule—usually through everyday apps like WhatsApp, Slack, Telegram, and Gmail.
The productivity story is genuine. So is the risk story. OpenClaw alone drew a critical remote-code-execution vulnerability rated 8.8 out of 10, tens of thousands of instances exposed on the open internet, and a related breach that leaked roughly 1.5 million agent API tokens. For a small or mid-sized business, the practical question is not whether personal AI agents are impressive—they are—but whether one is quietly running on an employee's machine with access to your data, and no one in charge of it.
This is the agentic version of the shadow AI problem we have written about before, and it deserves a clear-eyed benefits-versus-risks read before your team adopts—or, more likely, has already adopted—one of these tools.
What are OpenClaw, Hermes, and NanoClaw?
OpenClaw, Hermes, and NanoClaw are open-source "personal AI agent" frameworks: software you install that connects a large language model to your messaging apps, email, calendar, and files, then acts on your behalf. They share a core feature set—chat through apps you already use, persistent memory, web access, and scheduled tasks—but they optimize for different things.
- OpenClaw is the largest ecosystem. By community-tracked counts it passed roughly 345,000 GitHub stars in early April 2026, with a skills marketplace ("ClawHub") advertising 13,000-plus community add-ons and integrations across two dozen messaging platforms. Its strength is reach; its weakness, as the security record below shows, is that reach shipped ahead of hardening.
- Hermes, from Nous Research, is the "agent that grows with you." It emphasizes a self-improving skill loop and persistent memory that accumulates a long-running model of how you work—what you read, who you message, what you write. Community trackers put it among the fastest-growing agent projects of 2026, crossing 100,000 GitHub stars within its first few months.
- NanoClaw is the security-first, minimalist option. Released under the MIT license and built on Anthropic's Claude Agent SDK, it runs each agent inside its own Docker container so that a compromise of one agent cannot reach another—or the host. Its creator has said publicly he built it after finding his own OpenClaw setup had "no isolation between agents, no access controls, all my WhatsApp messages stored in plain text."
A useful shorthand that circulated in developer write-ups this spring: OpenClaw for reach, Hermes for learning, NanoClaw for trust. All three are powerful. None removes the fundamental issue that an autonomous agent acts on content no human reviewed.
What business benefits do personal AI agents offer?
The appeal is real: a personal AI agent can absorb repetitive knowledge-work through channels employees already live in, without a new dashboard to learn. For a lean team, that can feel like adding a junior assistant who works nights and weekends. The most cited benefits fall into four buckets.
- Message-native automation. Because the agent lives in WhatsApp, Slack, or Telegram, staff can hand off tasks in plain language—"summarize this thread," "draft a reply," "pull last month's numbers"—without switching tools.
- Persistent memory. The agent remembers context across sessions, so it stops asking the same questions and starts anticipating routine work. Hermes builds its whole value proposition on this.
- Scheduled and triggered tasks. Agents can run on a timer or in response to an event: a morning digest, a follow-up reminder, a weekly report compiled from several sources.
- Low cost and no lock-in. The frameworks themselves are free and open-source. You pay only for the underlying model's usage, and you can self-host rather than send data to a third-party SaaS vendor.
That last point is genuinely attractive to privacy-conscious businesses. But "self-hosted" and "secure" are not the same thing, and the difference is where most of the risk lives.
What are the security risks of personal AI agents?
The core risk is straightforward: these tools combine broad access (your messages, credentials, and files) with autonomy (they act without asking) and, often, internet exposure (they run a web service). When those three overlap without oversight, a single malicious message or link can turn a helpful assistant into an attacker's foothold. OpenClaw's 2026 track record makes the pattern concrete.
A critical remote-code-execution flaw
CVE-2026-25253 is a remote-code-execution vulnerability in OpenClaw rated 8.8 (High) on the CVSS scale and catalogued by the U.S. National Vulnerability Database. According to public analyses, it stems from improper WebSocket origin validation: an OpenClaw server would accept a gateway address supplied in a URL without checking it, auto-connect, and transmit the user's authentication token to an attacker-controlled endpoint. The upshot is that a victim clicking a single malicious link could hand over full control. Fixes landed in version 2026.1.29; instances on older versions reachable by untrusted networks should be treated as high risk.
Tens of thousands of instances exposed on the open internet
Security scanners found large numbers of OpenClaw servers directly reachable from the public internet, many without authentication. Counts vary by scan and date—Censys reported roughly 21,000 exposed instances by late January 2026, while other researchers put the figure closer to 30,000–42,000. The exact number is contested, but the direction is not: this is software people stood up quickly, often without the network controls that would keep an internal tool internal.
A breach that leaked roughly 1.5 million API tokens
Moltbook, a social network built for OpenClaw agents, was found with an unsecured database exposing approximately 35,000 email addresses and 1.5 million agent API tokens. API tokens are effectively passwords for automated access; at that scale, a single misconfiguration handed attackers the keys to a very large number of agents at once. It is a textbook illustration of how fast a young, fast-growing ecosystem can turn into a concentrated liability.
Prompt injection and "memory poisoning"
Independent research from vendors including IBM X-Force, Trend Micro, Cisco, and Barracuda has flagged personal AI agents as vulnerable to indirect prompt injection—malicious instructions hidden in content the agent reads, rather than typed by the user. This is the same class of attack we covered in the Claude Code poisoned-repository research: the agent is tricked into carrying out an instruction it found in a message, a webpage, or a file.
Agents with long-term memory raise a second, subtler version of this. Because Hermes and similar tools retrieve stored memories into the model's context on every run, a poisoned memory can quietly influence the agent long after it was planted. One security firm's threat model described the persistent-memory design as one of the largest unbounded attack surfaces it had seen ship on a developer workstation, and another reviewer summed it up neatly: "skill poisoning is prompt injection with a save button." Agent-specific vulnerabilities have already appeared here too, such as CVE-2026-7396, a path-traversal flaw in a messaging-platform adapter.
Plaintext credentials and skill-marketplace supply chain
Many deployments store API keys, email tokens, and calendar permissions in plaintext configuration files—exactly the loot an attacker wants. And because these ecosystems run on community "skill" marketplaces, a malicious or hijacked add-on is a supply-chain risk of the kind we examined in the axios npm supply-chain attack. Downloading a skill is running someone else's code inside your agent.
Who in your business is actually at risk?
The population most exposed is not your IT department—it is the enthusiastic employee who set up an agent on a personal or work device to save time, connected it to a work WhatsApp or Gmail account, and never told anyone. The agent inherits that person's access, and if it is exposed to the internet or fed a malicious message, an attacker inherits it too.
For most small and mid-sized businesses, the concern is rarely a deliberate rollout. It is that a capable, autonomous piece of software is running outside IT's view with standing access to customer messages, invoices, or credentials. That is precisely the governance gap we described in our work on detecting shadow AI agents and MCP connections: when a tool is passive, unsanctioned use mostly risks data leakage; when a tool is agentic, it risks remote code execution and account takeover.
How do the three agents compare on risk?
They are not equally risky, and the differences map onto their design philosophies. Reach, learning, and trust each carry a distinct trade-off.
- OpenClaw—maximum reach, maximum surface. The largest ecosystem is also the largest target: the most skills to vet, the most integrations to secure, and the track record above. Its application-level security has repeatedly proven insufficient when instances are exposed.
- Hermes—learning creates a memory attack surface. The persistent, self-improving memory that makes Hermes valuable is also long-lived state populated by inputs the user did not all explicitly approve, and pulled into the model on every run. Powerful, but a genuinely new thing to secure.
- NanoClaw—trust by isolation, but not magic. Running each agent in its own container is a meaningfully stronger default: a compromise is walled off from other agents and the host, and credentials can be kept out of the container entirely. It reduces blast radius; it does not make an agent immune to being fed a malicious instruction.
The lesson is not "pick the safe one." It is that architecture matters, and that "self-hosted and open-source" tells you nothing on its own about isolation, credential handling, or exposure.
What should Canadian and US business leaders take from this?
You do not need to understand WebSocket validation to manage this risk. You need to know whether these agents are in use, what they can reach, and under what controls. These are questions an executive can put to an IT lead or managed service provider this week:
- Are any personal AI agents connected to our business accounts? Ask specifically about WhatsApp, Slack, Telegram, Discord, Gmail, and Microsoft 365—the channels these tools plug into.
- Is any agent reachable from the public internet? A management port exposed to the world is how tens of thousands of OpenClaw instances became targets.
- Where are the credentials, and are any in plaintext? API keys and tokens in config files are the assets attackers steal.
- Is each agent isolated, and does it need human sign-off for sensitive actions? Container isolation and a human in the loop limit how much damage a hijacked agent can do.
These questions map onto frameworks your business may already reference—the CCCS Baseline Cyber Security Controls and PIPEDA obligations in Canada, and NIST SP 800-171, the CIS Controls, and the FTC Safeguards Rule in the United States. Each assumes you can answer one basic question: what software has access to your sensitive data, and who is accountable for it? Treating an AI agent as a third party you have onboarded—complete with the diligence in our vendor risk guidance—is the right mental model.
Practical steps to reduce your exposure
You do not have to ban these tools to manage them. A few measures meaningfully reduce both the likelihood and the impact of the risks above:
- Inventory first. Build a simple list of which AI agents are in use, by whom, on what devices, and what accounts they touch. You cannot govern what you cannot see.
- Keep agents off the open internet. Never expose an agent's management interface publicly. Run it on an internal network or behind a VPN, and isolate it in a container.
- Get credentials out of plaintext. Store API keys and tokens in a secrets manager, scope them to the minimum needed, and rotate anything that may have been exposed.
- Vet skills and add-ons. Install only from trusted sources, disable automatic skill updates, and treat every third-party skill as code you are running.
- Require human approval for sensitive actions. Configure agents so that sending money, deleting data, or reaching external systems needs explicit sign-off.
- Give employees a sanctioned option. People reach for shadow agents when no approved tool exists. A governed, supported alternative is the most effective way to shrink shadow AI—the theme of our guide to building an AI usage policy.
If you are not sure where your organization stands, our free quick security assessment is a fast way to surface gaps in how AI tools, credentials, and account access are governed.
The durable lesson
OpenClaw, Hermes, and NanoClaw are early examples of a category that is not going away: software that acts on your behalf, remembers what you tell it, and reaches into the tools your business runs on. The productivity is real, and so is the shift in risk—from tricking a person into clicking something to tricking an agent that has more access and fewer instincts for suspicion than any person on your team.
The answer is not prohibition, which only pushes adoption further into the shadows. It is to bring these agents into the light: known, scoped, isolated, and accountable to someone. An unmanaged AI agent is a capable piece of software making decisions on your behalf with no one watching—and 2026 has already shown what happens when an attacker makes one of those decisions for it.
This article is intended for general informational purposes only and does not constitute professional security, legal, or compliance advice. Details about OpenClaw, Hermes, and NanoClaw—including CVE-2026-25253, the Moltbook database exposure, and the number of internet-exposed instances—are based on public reporting, vendor research, and the U.S. National Vulnerability Database as of the date of publication and may evolve as these projects and their security records develop. Organizations should consult qualified cybersecurity professionals before adopting AI agents or making operational changes based on this article.