Operations report

Hermes and OpenClaw

Hermes and OpenClaw are both reachable, current enough for active use, and passing smoke checks. Remaining work is mainly credentials, policy hardening, and state hygiene.

Operational With Warnings

Generated 2026-07-05T16:04:19+10:00 from local doctor, status, smoke, endpoint, and control-plane checks. This public report intentionally omits tokens, raw keys, credential values, and private auth material.

Topline

Hermes doctorrc 0 / issues 0
OpenClaw doctorrc 0 / errors 0
Control healthhealthy / failures 0
Contract auditwarn {'bad': 0, 'ok': 51, 'warn': 3}

Hermes Agent

VersionHermes Agent v0.18.0 (2026.7.1) · upstream 7e8f50a1
Default route{'context_length': 1100000, 'default': 'kimi-k2.7-code:cloud', 'provider': 'ollama', 'supports_vision': True}
Health endpoint{"status": "ok", "platform": "hermes-agent", "version": "0.18.0"}
Smoke testOK
Doctor passes70 positive checks observed

Hermes Findings

Important passes

  • ✓ No active security advisories
  • ✓ Config version up to date (v33)
  • ✓ OpenAI Codex auth (logged in)
  • ✓ agent-browser (Node.js) (browser automation)
  • ✓ Playwright Chromium (browser engine)
  • ✓ Browser tools (agent-browser) deps (no known vulnerabilities)
  • ✓ web workspace deps (no known vulnerabilities)
  • ✓ ui-tui workspace deps (no known vulnerabilities)
  • ✓ 5 profile(s) found

Warnings

  • ⚠ Nous Portal auth (not logged in)
  • ⚠ MiniMax OAuth (not logged in)
  • ⚠ xAI OAuth (not logged in)
  • ⚠ docker not found (optional)
  • ⚠ OpenRouter API (not configured)
  • ⚠ browser-cdp (system dependency not met)
  • ⚠ computer_use (system dependency not met)
  • ⚠ discord (missing DISCORD_BOT_TOKEN)
  • ⚠ discord_admin (missing DISCORD_BOT_TOKEN)
  • ⚠ hermes-yuanbao (system dependency not met)
  • ⚠ homeassistant (system dependency not met)
  • ⚠ spotify (system dependency not met)
  • ⚠ video_gen (system dependency not met)
  • ⚠ x_search (missing XAI_API_KEY)
  • ⚠ No GITHUB_TOKEN (60 req/hr rate limit — set in ~/.hermes/.env for better rates)

OpenClaw

VersionOpenClaw 2026.6.11 (e085fa1)
Gateway health{"ok":true,"status":"live"}
Agent smokeOK
Security audit0 critical · 2 warn · 1 info
Sessions60 active · default kimi-k2.7-code:cloud (262k ctx) · 3 stores
Orphan transcripts9 reported by doctor

OpenClaw Findings

Gateway/service posture

  • Gateway local · ws://127.0.0.1:18789 (local loopback) · reachable 39ms · auth token · MacBook-Air.
  • Gateway self MacBook-Air.local (192.168.68.116) app 2026.6.11 macos 26.5.1
  • Gateway service LaunchAgent installed · loaded · running (pid 6412, state active)
  • Node service LaunchAgent installed · loaded · running (pid 45301, state active)
  • Gateway reachable 309ms

Doctor and status warnings

  • - plugins.entries.codex: plugin disabled (disabled in config) but
  • - Left legacy config health state in place because 1 entry conflicts with shared SQLite state: ~/.openclaw/logs/config-health.json
  • - Left legacy config health state in place because 1 entry conflicts
  • Moved agents.list.main.models legacy runtime keys to canonical
  • Moved agents.list.vanilla.models legacy runtime keys to canonical
  • Run "openclaw doctor --fix" to apply these changes.
  • - anthropic:manual: expired [expired] — Re-auth via `openclaw models
  • - xai:<redacted-email>: expired (0m) — Re-auth via `openclaw
  • - Config health state: legacy JSON file → shared SQLite state
  • - Found 1 agent directory on disk without a matching agents.list
  • - Found 9 orphan transcript files in
  • Cron model overrides detected at ~/.openclaw/cron/jobs.json.
  • - This is a supported shape, not a legacy store row, so the doctor fix
  • - WARNING: openclaw.json contains plaintext secret-bearing config
  • - plugins.entries.codex: plugin disabled (disabled in config) but config is present
  • Run "openclaw doctor --fix" to apply changes.
  • Summary: 0 critical · 2 warn · 1 info
  • WARN Reverse proxy headers are not trusted
  • WARN Potential multi-user setup detected (personal-assistant model warning)

Control Plane

Healthcheckrc 0
Launchd backlogok {'bad': 0, 'ok': 44, 'warn': 1}
Cron readinessGO / 99
Cron follow-upok {'waiting_for_scheduled_run': 1}
Hermes endpointOK
OpenClaw endpointOK

Risk Register and Next Actions

Safe to defer

  • Optional Hermes integrations are not logged in or not configured: Nous Portal, MiniMax, xAI, OpenRouter, GitHub token, Docker, Discord, Home Assistant, Spotify, and x_search dependencies.
  • OpenClaw reverse-proxy and multi-user warnings are policy warnings; the gateway is currently loopback-reachable and healthy.
  • OpenClaw cron model overrides are intentional unless those jobs should inherit the default Kimi/Ollama route.

Should be scheduled

  • Rotate or revoke any OAuth token that was copied into chat or terminal history.
  • Migrate OpenClaw plaintext secret-bearing config fields to SecretRefs with the supported secrets workflow.
  • Re-authenticate OpenClaw Anthropic and xAI model accounts if those providers are still required.
  • Confirm whether the stale crestodian agent directory should be restored or archived.
  • Archive current orphan transcript files with openclaw doctor --fix when no long-lived sessions depend on them.

Public-safety note: this page reports categories and counts, not raw tokens, secret values, private prompts, transcript content, or credential payloads.

Evidence Commands

Hermes doctorhermes doctor
OpenClaw doctor~/.local/opt/node/bin/node ~/.local/opt/node-v26.3.1-darwin-arm64/lib/node_modules/openclaw/dist/index.js doctor
OpenClaw status~/.local/opt/node/bin/node ~/.local/opt/node-v26.3.1-darwin-arm64/lib/node_modules/openclaw/dist/index.js status --deep
Healthcheck~/bin/codex-hermes-openclaw-healthcheck.sh