Local vs Docker security
Compare host execution, Docker containers, environment forwarding, mounted files, and rollback behavior.
Risk boundary first
Hermes Agent security checklist
Before giving Hermes real work, decide where commands execute, which files are reachable, which credentials are exposed, and which integrations can send or receive messages.
Agent Guide is an independent editorial resource. It is not affiliated with, endorsed by, or sponsored by Nous Research, Hermes Agent, or Hermes/Hermes brand owners. Product names and marks belong to their respective owners.
Execution boundary matrix
| Backend | Isolation | Best for | Risk to watch |
|---|---|---|---|
| Local | None beyond your user account | Personal experiments | Broad filesystem and shell access. |
| Docker backend | Container boundary with hardening | Safer default for agent tools | Mounted volumes and forwarded env still matter. |
| SSH | Remote host boundary | Powerful remote machines | Key handling and remote filesystem scope. |
| Cloud sandbox | Provider-managed environment | Ephemeral or CI-style work | Provider trust, persistence, and network policy. |
Minimum checklist
- Start with non-sensitive test directories.
- Use Docker or another sandbox for workflows that execute commands.
- Forward only the environment variables a workflow needs.
- Review MCP and skill tool surfaces before exposing them.
- Keep messaging gateway tokens separate from other provider keys.
- Log what changed when a new skill, provider, or backend is added.
Failure modes
| Failure | Why it happens | Guardrail |
|---|---|---|
| Secret appears in logs | Key pasted into prompt, shell, or issue output | Use placeholders and scrub before sharing. |
| Agent sees too many files | Local backend starts in a broad directory | Use narrow working directories or container mounts. |
| MCP exposes dangerous tools | Server registered more tools than expected | Filter tools and disable resource wrappers where needed. |
| Channel sends unexpected output | Gateway token reused across environments | Use separate tokens and staged cutover. |
Safer default for first production-like use
For workflows that execute commands, handle messaging, or touch private repositories, use Docker or another sandboxed backend before local host execution. The official security docs describe local execution as lacking isolation beyond the user's account, while Docker-style backends provide a clearer boundary.
That boundary is not a permission slip. Mount only what the workflow needs, forward only specific environment variables, and keep gateway allowlists narrow.
What not to connect on day one
- Production credentials that cannot be rotated quickly.
- A whole home directory or broad repository folder.
- Messaging gateways with allow-all user settings.
- MCP servers whose tool list you have not inspected.
- Automation schedules that can run unattended before one manual dry run.
Local vs Docker next step
Use the dedicated local-vs-Docker guide when the main question is not whether Hermes can run, but where it should be allowed to run commands.
Official sources reviewed
| Source | Used for | Last checked | Confidence |
|---|---|---|---|
| Hermes Agent configuration guide | Provider, model, backend, and environment configuration patterns. | 2026-06-02 | high |
| Hermes Agent Docker guide | Docker run modes, mounted data directory, gateway operation, ports, and production cautions. | 2026-06-02 | high |
| MCP with Hermes Agent | MCP tool-surface, integration, and skill workflow safety context. | 2026-06-02 | high |
| Hermes Agent security guide | Approval modes, gateway authorization, Docker terminal backend hardening, and credential cautions. | 2026-06-02 | high |
Known caveats: Security guidance must be refreshed often. Treat this page as an operator checklist, not a guarantee that a deployment is safe.
FAQ
Is YOLO mode safe for production?
No. The official security docs describe YOLO mode as bypassing dangerous command approval prompts. Use it only in trusted or disposable environments.
Do approvals replace sandboxing?
No. Approval prompts reduce accidental command execution, but the execution boundary still comes from the host, container, SSH target, or sandbox.
Operator checklist
Get the Agent Guide launch checklist
Receive the smoke-test order for install path, sandbox boundary, provider setup, source review, and production checks.