What makes Hermes skills different from OpenClaw or Cowork skills?

Hermes is built around self-writing skills: when it solves a hard problem, it writes itself a skill file so it never has to figure that task out again. Over time it accumulates a personal library of reusable skills. You still review and approve what persists, but the agent does the authoring rather than you importing pre-built skills.

Should I install third-party Hermes skills?

Avoid importing unknown third-party skills wholesale — they run with your agent's permissions and a meaningful share of public-registry skills have contained malicious code. The safer pattern with Hermes is to have the agent write the skill you need from your own description, read the result, then enable it.

How do I stop a self-written skill from doing something dangerous?

Read every skill before letting it persist, run an allowlist so only reviewed skills are enabled, pin versions, and keep human approval on irreversible actions. The self-improvement loop is safe when a human stays in the loop for anything that touches credentials or the outside world.

Last updated: 2026-06-01

Hermes Skills Guide: Write Your Own

Self-writing skills are Hermes's whole identity. When it solves a hard problem, it writes itself a skill — a small note describing how to do that job — so the next time you ask, it just does it. Over months, your agent builds a personal library of skills tuned to your work. This guide explains how that loop works and how to drive it safely: describe the outcome, let Hermes draft the skill, test it, review what it can touch, and persist it.

⚠️ Safety first: skills are code that runs with your permissions

A Hermes skill can read files, hit the network, and use your credentials. That's true whether the agent wrote it or you imported it. Don't install unknown third-party skills. Security researchers auditing a major public agent-skill registry in early 2026 found a meaningful share of published skills contained credential-exfiltration or reverse-shell code. The safe pattern below has the agent write the skill from your description so you can read exactly what it does before enabling it.

How Hermes skills work

A skill is a reusable recipe. It captures the steps, the tools/MCP servers involved, the inputs it expects, and the output it produces — so a multi-step task becomes a single repeatable action.
The self-improvement loop. After Hermes works through a novel task, it can write a skill capturing what worked. Next time the same job appears, it loads the skill instead of re-deriving the solution from scratch — faster, cheaper, and more consistent.
Skills compound. Unlike a one-off chat, a saved skill persists across sessions and restarts. A six-month-old Hermes install has a library shaped by how you work — that accumulated context is the real moat, not the base model.
Bundles group related skills. Recent Hermes versions let you load a set of related skills together (a "bundle") in one command, so a whole workflow comes online at once.

Step-by-step: have your agent write a skill

Describe the outcome, not the code. Tell Hermes the job to be done and what "done" looks like. Good skill requests are specific about inputs, outputs, and edge cases — and silent about implementation.
Let Hermes draft the skill. It writes a skill file with the steps and the tools it needs. If it requires an MCP server or a channel you haven't connected, it will say so.
Test on a real example. Run it against one real input and read the output. Don't trust a skill you've never seen produce a correct result.
Review what it can touch (see the checklist below) before you let it persist.
Persist it. Save the reviewed skill so the agent reuses it automatically. From here it's part of your library.
Iterate. When the skill misses an edge case, describe the gap and let Hermes revise it. Re-review, re-save.

Copy this prompt

Paste this to have Hermes author a skill the safe way — describe-outcome, draft, test, and stop for your review before persisting:

Write me a Hermes skill that does the following job:

  <describe the job: the trigger, the inputs, the steps,
   and exactly what a correct output looks like>

Requirements:
- Use only the tools and MCP servers I already have connected.
  If you need one I don't have, stop and tell me which one and why.
- Request the minimum access needed. List every file path, network
  domain, and secret/credential the skill will touch.
- Do NOT take any irreversible action (sending, deleting, posting,
  paying) without an explicit confirmation step.
- Run it once on this real example: <paste one real input>
- Show me the skill file and the test output, then STOP.
  Do not persist or enable it until I say "save it".

Ready-to-use starter prompts

Inbox triage: "Write a skill that reads my unread email, labels each message as urgent / reply-needed / FYI / ignore, and drafts (not sends) a reply for anything in 'reply-needed'."
Daily brief: "Write a skill that each morning at 8am compiles my calendar, my open tasks, and overnight messages into a single short brief and sends it to my Telegram."
Competitor teardown: "Write a skill that takes a URL, has the browser tool capture the page and the visible tech signals, and produces a one-page summary — no logins, read-only."
Release watcher: "Write a skill that checks a given GitHub repo's releases once a day and messages me a plain-language summary only when there's a new tag."

After your agent writes the skill: the review checklist

Before you save any skill, read it and confirm:

Filesystem: which paths does it read or write? A skill that should only read your calendar shouldn't be touching ~/.ssh or your config directory.
Network: which domains does it reach? Every outbound domain should map to a step you asked for.
Secrets: which credentials or env vars does it use? Least privilege — a formatter shouldn't see your API keys.
Irreversible actions: does anything send, delete, post, or pay without a confirmation step? If so, add the gate before saving.
Tool chaining: does it invoke other skills or MCP servers? Those inherit its reach — review them too.

This is the same allowlist discipline covered in the Hermes security guide: only reviewed, version-pinned skills get enabled.