Deep technical comparison

Comis vs Hermes

22 dimensions, both codebases reviewed. Hermes Agent (by Nous Research) is an excellent self-improving research agent. This is an honest, source-traceable look at where each one fits.

Both projects are open source. Quotes are verbatim from Hermes's own documentation; this comparison reflects the codebases as of June 2026.

16
Comis leads
3
Hermes leads
3
Tied
Design & Trust
3 - 0 - 0
Security
5 - 0 - 1
Agent Capabilities
3 - 3 - 1
Context Management
3 - 0 - 0
Infrastructure & DX
2 - 0 - 1

Design & Trust

A shared platform vs. a single-tenant personal agent.

Design center

Comis

Hermes

Single-tenant personal agent, by design. Host-first: one trusted operator on their own machine. (Their words: "Hermes Agent is a single-tenant personal agent.")

Comis

Platform - many agents × many operators, one auditable install. Built from the premise that the agents and people sharing an install aren't all fully trusted.

Trust model

Comis

Hermes

Single trust tier per gateway - all authorized callers are equally trusted; no per-caller capability model. The operating system is the security boundary.

Comis

Multi-tenant by construction: per-session routing, per-agent isolation, and trust-partitioned memory so an untrusted sender can't reach what the system verified.

Typed errors end-to-end

Comis

Hermes

Traditional throw/catch error handling. Runtime-checked.

Comis

Result<T, E> everywhere - ok(), err(), tryCatch(), fromPromise(). Failure is a value the compiler checks, not a stray exception.

Security

Layered runtime defense vs. the OS as the primary boundary.

Exec sandbox

Comis

Hermes

Host-first by default. Containers confine the shell tool, not the agent. The agent process itself runs on the host.

Comis

Configured by default, with kernel-backed isolation where supported - Bubblewrap on Linux (full namespace unshare) and sandbox-exec on macOS. Credentialed CLI spawns can run through broker-only mode so secrets stay outside the agent process.

Secrets at rest

Comis

Hermes

Plaintext .env plus file permissions, with Bitwarden as an opt-in source.

Comis

AES-256-GCM encrypted store. The code that builds the sandbox env never reads the real key.

API keys vs. agent runtime

Comis

Hermes

Env-scrub blocklist for child processes - named secrets are stripped from the environment handed to spawned tools. The agent process itself still holds the keys to authenticate.

Comis

Credential broker: the key is injected at the network boundary by an in-process MITM that terminates TLS with its own CA, validates a single-use token, and swaps a placeholder at the header layer. The key never enters the sandbox. Fails closed - any gate failure destroys the tunnel before a byte reaches upstream.

Prompt injection

Comis

Hermes

Heuristic wrapping of untrusted content. Hermes is candid that this is not a boundary: in their own words, "The only security boundary against an adversarial LLM is the operating system."

Comis

Layered runtime defenses with benchmarked poisoning resistance - a weighted, multi-pattern content scanner, output guarding, and trust-partitioned memory, measured in public rather than asserted.

Skill / code safety

Comis

Hermes

Skills are user-authored and trusted by the single operator; self-improving skills are created and rewritten by the agent. A 'Skills Guard' scans skill content for injection patterns at install, but it is a review aid, not an enforced boundary - operator review is the real control.

Comis

A skill content scanner screens every skill at load time (exec injection, exfiltration, XML breakout), plus ESLint-enforced security bans (no path.join, no process.env, no eval/new Function, no swallowed errors) and architecture-as-tests that block insecure patterns in CI.

Supply-chain integrity

Tie

Hermes

Sigstore-signed releases with exact-pinned dependencies.

Comis

Sigstore-attested releases (npm provenance via GitHub OIDC); all dependencies exact-pinned and workspace packages bundled.

Agent Capabilities

Where Hermes's self-improving loop genuinely shines.

Self-improvement

Hermes

Hermes

Yes - the agent rewrites its own skills. A built-in learning loop creates skills from experience and improves them during use. This is a genuine, distinctive strength.

Comis

Self-improvement lives in memory, not code: the memory learns from use via a bounded, auditable tuner (with the trust weight structurally frozen). Skills stay operator-reviewed - the agent does not rewrite its own executable skills.

Messaging channels

Hermes

Hermes

20+ platform adapters - a broad, mature channel surface. Channel breadth is a real Hermes strength.

Comis

9 first-party channels: Telegram, Discord, Slack, WhatsApp, Signal, iMessage, LINE, IRC, Email.

Multi-agent orchestration

Comis

Hermes

delegate_task spawns isolated subagents (flat by default - depth 1; opt-in max_spawn_depth with no hard ceiling), plus a kanban board for task tracking. Effective for personal task delegation; not a full graph engine.

Comis

Natural-language → DAG orchestration: 7 node types (agent, debate, vote, refine, collaborate, map-reduce, human approval gate) with barrier modes, per-node budgets, and approval gates.

Memory

Comis

Hermes

Agent-curated memory: LLM-free FTS5 session search, plus LLM summarization and dialectic user modeling for cross-session recall. No trust levels in the memory store (skill sources do carry builtin/trusted/community tiers); the learning loop is unbenchmarked.

Comis

Trust-partitioned and benchmarked in public: SQLite + FTS5 + sqlite-vec hybrid recall (reciprocal rank fusion), trust-first contradiction resolution (system > learned > external), and learning from use behind a bounded tuner with the trust weight frozen. Measured 87.5% head-to-head with mem0 (N=8), +37.5 pt over a full-context control, $0 on-device.

Model providers

Tie

Hermes

Wide model support via Nous Portal, OpenRouter, NovitaAI, NVIDIA NIM, OpenAI, and any OpenAI-compatible endpoint - swap models with one command, no lock-in.

Comis

35 catalog providers via pi-ai, local Ollama/LM Studio, and any OpenAI-compatible endpoint.

Interactive terminal control

Comis

Hermes

No interactive terminal/PTY driver - the terminal tool runs one-shot or background commands, not a live interactive session.

Comis

Daemon-supervised interactive terminal driver: a real PTY fed into a headless emulator, governed like an MCP server (operator allowlist + per-entry sandbox scope), credential-agnostic. Drives interactive shells and AI-CLIs.

Execution & deployment backends

Hermes

Hermes

Six execution backends (local, Docker, SSH, Modal, Daytona, Singularity); Modal and Daytona offer serverless persistence that hibernates when idle - a genuine operational strength.

Comis

Runs as a supervised daemon (directly or via pm2); no serverless or scale-to-zero hosting story.

Context Management

Lossless, reversible compression vs. cheap-model summary.

Context at scale

Comis

Hermes

Auto-compression at roughly 50% of the context window, using a cheaper model to summarize. Effective, but lossy - the compressed detail isn't recoverable in-session.

Comis

DAG-backed context recovery - old turns can compress into a zoomable leaf->condensed summary DAG the agent can drill back into (ctx_search / ctx_inspect / ctx_expand). Compression remains inspectable in-session instead of becoming a one-way summary.

Cache & cost optimization

Comis

Hermes

Provider-level prompt caching where the model supports it. No published cache-fence, breakpoint, or systematic invalidation strategy.

Comis

A cache-fence index keeps the cached prefix byte-stable while the context engine edits everything after it, with adaptive TTL escalation, two-phase cache-break detection, and sub-agent spawn staggering - 15+ shipped optimizations. Measured 94% warm cache-hit rate; $5.02 vs $26.42 on a 76-call Opus session.

Local-model security floor & tuning

Comis

Hermes

Local models are supported (Ollama, LM Studio, vLLM and similar). The OS is the boundary, whatever the model - there is no model-aware hardening.

Comis

The security posture belongs to the platform, not the model: sandboxed execution where supported, the credential broker, and the skill content scanner apply whether you run a frontier cloud model or a local one. Capability profiles also tune prompt-size budgets, focused tool sets, JSON repair, and self-correction to the model tier.

Infrastructure & DX

Glass-box observability and a typed, layered architecture.

Observability

Comis

Hermes

Python logging with rotating, credential-redacted plaintext logs per component (agent / gateway / gui). Solid operational logging for a single operator; no structured event bus.

Comis

Result<T, E> + traceId glass box: every action is reconstructable from structured logs alone (AsyncLocalStorage-propagated traceId, canonical field dictionary, required hint + errorKind on every failure branch), plus a bounded, causal obs.explain incident artifact.

Architecture

Comis

Hermes

Single gateway process with a plugin/skill model. Lighter-weight and quick to extend for one operator.

Comis

Hexagonal (ports & adapters). 15-package monorepo with a compile-time-enforced dependency graph via TypeScript composite references.

License

Tie

Hermes

MIT - permissive and simple.

Comis

Apache-2.0 - patent grant included.

Key takeaways

Where Comis leads

  • Platform / multi-tenant design center - many agents × many operators, one auditable install
  • Exec sandbox configured by default, with kernel-backed isolation where supported
  • Encrypted secrets (AES-256-GCM) + credential broker - keys never meet agents
  • Layered + benchmarked prompt-injection defense
  • Trust-partitioned learning memory (bounded tuner, trust weight frozen)
  • Lossless context (DAG engine - nothing deleted, compression reversible in-session)
  • Natural-language → DAG orchestration (7 node types)
  • Local-model security floor + reliability scaffold - a weaker model gets a stricter posture and is actively tuned to run well
  • Result<T, E> + traceId glass box - every action reconstructable from logs alone

Where Hermes leads

  • self-improving skill loop (the agent rewrites its own skills)
  • 20+ platform adapters
  • serverless execution backends (Modal/Daytona hibernate when idle)
  • trajectory export as model-training data (ShareGPT/RL datasets)
  • If you want a self-improving research agent that writes its own skills, Hermes is genuinely excellent at exactly that.

Different philosophies

Comis

Comis

Design center: A platform for teams and communities, isolated by design - many agents, many operators, one auditable install.

Security stance: Defense in depth with sandboxed tools where supported, typed boundaries, encrypted secrets, and a broker that keeps keys away from agents.

Self-improvement: In memory, not code - the memory learns from use under a bounded, auditable tuner; skills stay operator-reviewed.

Trust model: Multi-tenant ready, with trust-partitioned memory and per-session routing.

H

Hermes Agent

"Hermes Agent is a single-tenant personal agent"

- Hermes SECURITY.md

"The only security boundary against an adversarial LLM is the operating system."

- Hermes SECURITY.md

Design center: Single-tenant personal agent - host-first by default.

Self-improvement: A built-in learning loop - the agent creates and rewrites its own skills from experience.

All 22 dimensions

The full picture at a glance.

Hermes Comis Winner
Design center Single-tenant personal agent, by design. Platform - many agents × many operators, one auditable install. Comis
Trust model Single trust tier per gateway - all authorized callers are equally trusted; no per-caller capability model. Multi-tenant by construction: per-session routing, per-agent isolation, and trust-partitioned memory so an untrusted sender can't reach what the system verified. Comis
Typed errors end-to-end Traditional throw/catch error handling. Result<T, E> everywhere - ok(), err(), tryCatch(), fromPromise(). Comis
Exec sandbox Host-first by default. Configured by default, with kernel-backed isolation where supported - Bubblewrap on Linux (full namespace unshare) and sandbox-exec on macOS. Comis
Secrets at rest Plaintext . AES-256-GCM encrypted store. Comis
API keys vs. agent runtime Env-scrub blocklist for child processes - named secrets are stripped from the environment handed to spawned tools. Credential broker: the key is injected at the network boundary by an in-process MITM that terminates TLS with its own CA, validates a single-use token, and swaps a placeholder at the header layer. Comis
Prompt injection Heuristic wrapping of untrusted content. Layered runtime defenses with benchmarked poisoning resistance - a weighted, multi-pattern content scanner, output guarding, and trust-partitioned memory, measured in public rather than asserted. Comis
Skill / code safety Skills are user-authored and trusted by the single operator; self-improving skills are created and rewritten by the agent. A skill content scanner screens every skill at load time (exec injection, exfiltration, XML breakout), plus ESLint-enforced security bans (no path. Comis
Supply-chain integrity Sigstore-signed releases with exact-pinned dependencies. Sigstore-attested releases (npm provenance via GitHub OIDC); all dependencies exact-pinned and workspace packages bundled. Tie
Self-improvement Yes - the agent rewrites its own skills. Self-improvement lives in memory, not code: the memory learns from use via a bounded, auditable tuner (with the trust weight structurally frozen). Hermes
Messaging channels 20+ platform adapters - a broad, mature channel surface. 9 first-party channels: Telegram, Discord, Slack, WhatsApp, Signal, iMessage, LINE, IRC, Email. Hermes
Multi-agent orchestration delegate_task spawns isolated subagents (flat by default - depth 1; opt-in max_spawn_depth with no hard ceiling), plus a kanban board for task tracking. Natural-language → DAG orchestration: 7 node types (agent, debate, vote, refine, collaborate, map-reduce, human approval gate) with barrier modes, per-node budgets, and approval gates. Comis
Memory Agent-curated memory: LLM-free FTS5 session search, plus LLM summarization and dialectic user modeling for cross-session recall. Trust-partitioned and benchmarked in public: SQLite + FTS5 + sqlite-vec hybrid recall (reciprocal rank fusion), trust-first contradiction resolution (system > learned > external), and learning from use behind a bounded tuner with the trust weight frozen. Comis
Model providers Wide model support via Nous Portal, OpenRouter, NovitaAI, NVIDIA NIM, OpenAI, and any OpenAI-compatible endpoint - swap models with one command, no lock-in. 35 catalog providers via pi-ai, local Ollama/LM Studio, and any OpenAI-compatible endpoint. Tie
Interactive terminal control No interactive terminal/PTY driver - the terminal tool runs one-shot or background commands, not a live interactive session. Daemon-supervised interactive terminal driver: a real PTY fed into a headless emulator, governed like an MCP server (operator allowlist + per-entry sandbox scope), credential-agnostic. Comis
Execution & deployment backends Six execution backends (local, Docker, SSH, Modal, Daytona, Singularity); Modal and Daytona offer serverless persistence that hibernates when idle - a genuine operational strength. Runs as a supervised daemon (directly or via pm2); no serverless or scale-to-zero hosting story. Hermes
Context at scale Auto-compression at roughly 50% of the context window, using a cheaper model to summarize. DAG-backed context recovery - old turns can compress into a zoomable leaf->condensed summary DAG the agent can drill back into (ctx_search / ctx_inspect / ctx_expand). Comis
Cache & cost optimization Provider-level prompt caching where the model supports it. A cache-fence index keeps the cached prefix byte-stable while the context engine edits everything after it, with adaptive TTL escalation, two-phase cache-break detection, and sub-agent spawn staggering - 15+ shipped optimizations. Comis
Local-model security floor & tuning Local models are supported (Ollama, LM Studio, vLLM and similar). The security posture belongs to the platform, not the model: sandboxed execution where supported, the credential broker, and the skill content scanner apply whether you run a frontier cloud model or a local one. Comis
Observability Python logging with rotating, credential-redacted plaintext logs per component (agent / gateway / gui). Result<T, E> + traceId glass box: every action is reconstructable from structured logs alone (AsyncLocalStorage-propagated traceId, canonical field dictionary, required hint + errorKind on every failure branch), plus a bounded, causal obs. Comis
Architecture Single gateway process with a plugin/skill model. Hexagonal (ports & adapters). Comis
License MIT - permissive and simple. Apache-2. Tie

Every Hermes claim here is sourced from Nous Research's own repository and security documentation (June 2026); the verbatim quotes are from Hermes's SECURITY.md. Comis figures map to the committed benchmark manifests and the audited README. Their strengths are credited where they genuinely lead.

Choose honestly

Choose honestly. If you want a personal assistant with native mobile apps, voice wake, and the widest channel list, OpenClaw is excellent. If you want a self-improving research agent that writes its own skills, Hermes is excellent. If you want an agent platform you can hand to your team, your family, or your company - and audit every action it takes - that's Comis.

Get Started Read the Docs Comis vs OpenClaw