← Back to Home

How Comis compares.

We built Comis after studying its two closest neighbors in depth - OpenClaw and Hermes Agent. Both are excellent, and both are candid about their design center. So are we.

Comis starts from the opposite premise: an install that holds up even when the agents and people sharing it aren't fully trusted.

In their own words

Two great agents, built for one trusted operator.

Neither is a strawman. Each is a serious, well-engineered project with a clearly stated design center. Here is what each does best - and exactly how its authors describe its security model.

OpenClaw

Personal assistant - one trusted operator (potentially many agents), by design.

Where it shines

  • 23+ channels
  • native mobile & desktop apps
  • voice wake
  • Canvas
  • 140+ extensions

From their own docs

  • "'personal assistant' (one trusted operator, potentially many agents), not 'shared multi-tenant bus'"

    - OpenClaw SECURITY.md

  • "the exec sandbox is opt-in and off by default"

    - OpenClaw SECURITY.md

  • "prompt injection is out of scope absent a boundary bypass"

    - OpenClaw SECURITY.md

Hermes Agent

Single-tenant personal agent - host-first by default.

Where it shines

  • self-improving skill loop (the agent rewrites its own skills)
  • 20+ platform adapters
  • serverless execution backends (Modal/Daytona hibernate when idle)
  • trajectory export as model-training data (ShareGPT/RL datasets)

From their own docs

  • "Hermes Agent is a single-tenant personal agent"

    - Hermes SECURITY.md

  • "The only security boundary against an adversarial LLM is the operating system."

    - Hermes SECURITY.md

Where Comis differs

Designed for a shared install from day one.

OpenClaw and Hermes are built around one trusted operator. Comis is built for a team, family, or company - many agents and operators sharing one install - so separation, secret handling, and auditability are platform properties, not prompt instructions.

Platform / multi-tenant design center - many agents × many operators, one auditable install

Exec sandbox configured by default, with kernel-backed isolation where supported

Encrypted secrets (AES-256-GCM) + credential broker - keys never meet agents

Layered + benchmarked prompt-injection defense

Trust-partitioned learning memory (bounded tuner, trust weight frozen)

Lossless context (DAG engine - nothing deleted, compression reversible in-session)

Natural-language → DAG orchestration (7 node types)

Local-model security floor + reliability scaffold - a weaker model gets a stricter posture and is actively tuned to run well

Result<T, E> + traceId glass box - every action reconstructable from logs alone

Side by side

The full picture.

Sourced from each project's own repository and security documentation, June 2026. Their strengths are bolded where they win.

Comis OpenClaw Hermes Agent
Design center Platform - many agents x many operators, one auditable install Personal assistant - one trusted operator, by design Single-tenant personal agent, by design
Exec sandbox Configured by default; kernel-backed where supported (Bubblewrap / sandbox-exec) Docker sandbox, opt-in (off by default) Host-first by default; containers confine the shell tool, not the agent
Secrets at rest AES-256-GCM encrypted store Config/auth profiles support plaintext paths and SecretRefs .env + file permissions (Bitwarden opt-in)
API keys vs. agent runtime Credential broker - key injected at the network boundary, never inside the sandbox Keys held in the gateway process Env-scrub blocklist for child processes
Prompt injection Layered runtime defenses + benchmarked poisoning resistance Out of scope absent a boundary bypass Heuristic wrapping; no boundary claimed
Memory Trust-partitioned, learns from use (bounded tuner, trust frozen), benchmarked in public No trust levels No trust levels; learning loop unbenchmarked
Context at scale DAG-backed context recovery - compressed detail remains inspectable in-session Compaction / pruning hooks; tool-result compaction Auto-compression at 50% of window (cheap-model summary)
Local models Tier-aware capability profile - a weaker model gets a stricter security posture and an auto-tuned reliability scaffold (prompt-size caps, focused tool sets, JSON repair, self-correction) Supported (Ollama, LM Studio, vLLM); no model-aware hardening Supported (Ollama, LM Studio, vLLM); the OS is the boundary, whatever the model
Multi-agent orchestration Natural-language DAGs - 7 node types, barriers, budgets, approval gates Agent routing + spawn; hierarchy frameworks declined delegate_task (depth <= 2) + kanban board
Typed errors end-to-end Result<T, E> first - failures are typed and architecture-tested - -
Messaging channels 9 23+ 20+
Self-improvement In memory, not code - the memory learns from use (bounded, auditable); skills stay operator-reviewed - Yes - agent rewrites its own skills
License Apache-2.0 MIT MIT

Want the full side-by-side?

Each deep comparison is a verified, dimension-by-dimension walkthrough across architecture, security, capabilities, context, and cost.

Comis vs OpenClaw

A verified, dimension-by-dimension technical comparison.

Read the deep comparison →

Comis vs Hermes Agent

A verified, dimension-by-dimension technical comparison.

Read the deep comparison →

Choose honestly

Choose honestly. If you want a personal assistant with native mobile apps, voice wake, and the widest channel list, OpenClaw is excellent. If you want a self-improving research agent that writes its own skills, Hermes is excellent. If you want an agent platform you can hand to your team, your family, or your company - and audit every action it takes - that's Comis.

Get Started Read the docs View on GitHub