Key takeaways
- Hermes Agent and OpenClaw are general-purpose open-source agent frameworks, not industrial control or safety systems.
- The safe starting architecture separates business knowledge access from OT control.
- Use sandboxing, least-privilege tools, project isolation, secret management and approval gates together.
- A successful pilot proves a bounded workflow and security model, not general autonomy.
What Hermes Agent and OpenClaw are
Hermes Agent is an open-source agent runtime from Nous Research with persistent memory, reusable skills, scheduled tasks, multiple execution backends and Model Context Protocol integration. OpenClaw is an open-source personal-agent platform with isolated agents, workspaces, channel routing, tools and sandbox options.
Both can call tools and take actions on a computer. That makes them more capable than a simple chat interface and materially increases the security and operating risk. Neither project should be treated as a certified industrial control, functional-safety or GxP platform.
Manufacturing use cases that fit
Good first use cases are bounded, evidence-based and reversible:
- search approved SOPs, manuals and engineering documents with citations;
- assemble maintenance history for planner review;
- check work-pack completeness against an approved template;
- summarize non-critical shift records and open actions;
- prepare a daily report from approved read-only data;
- route unanswered questions to the document or process owner.
Avoid direct control, automatic set-point changes, safety bypasses, permit approvals, batch release and unsupervised writes to ERP, MES, CMMS or document-control systems in an early deployment.
A private reference architecture
Place the agent runtime in an enterprise or industrial DMZ environment, separate from control networks. Give it access to a curated knowledge index or read-only API, not unrestricted database or file-system credentials. Use an internal model endpoint when data must stay within the customer environment.
The flow should be: user request, identity check, policy check, agent planning, allowlisted tool call, read-only data adapter, cited response, then human approval if an external action is proposed. Log tool calls and policy decisions without collecting more sensitive content than operations require.
When Hermes Agent is a fit
Hermes Agent is useful when the team values reusable procedural skills, persistent bounded memory, MCP integrations and a choice of local or isolated execution backends. Its official documentation includes user authorization, dangerous-command approval, file-write controls and container isolation.
For manufacturing, create narrow skills such as "assemble pump maintenance evidence" or "check a work pack". A skill should describe the approved procedure and tools, not bypass plant controls. Require approval for skill changes so a learned procedure cannot silently alter future behaviour.
When OpenClaw is a fit
OpenClaw is useful when the team wants isolated agents or workspaces, channel routing and a broad self-hosted assistant experience. Its official security guidance explicitly warns that prompt injection can arrive through web pages, email, documents, attachments and other content even when only trusted people can message the agent.
For industrial use, separate a read-only content agent from any agent that has write tools. Keep web browsing disabled on privileged agents unless there is a defined need. Use sandbox mode, deny unnecessary tools and bind each project or customer to its own workspace and credentials.
The minimum security controls
| Control | Industrial implementation | Test |
|---|---|---|
| Identity | Named users, approved channels and role mapping | Unauthorized user is denied |
| Tool policy | Explicit allowlist with read-only defaults | Write and shell tools are unavailable |
| Sandbox | Isolated container or remote workspace | Agent cannot access host or other projects |
| Network | Egress allowlist and no route to control assets | Unapproved destinations fail closed |
| Secrets | Short-lived, scoped credentials outside prompts | Agent cannot print or reuse unrelated secrets |
| Content boundary | Untrusted documents processed by a low-privilege reader | Injection text cannot trigger privileged tools |
| Approval | Named human approves material writes or messages | Action cannot complete without approval |
| Audit | Request, source, tool, output and decision trace | Reviewer can reconstruct the result |
Do not bridge directly into OT
NIST describes OT as systems that interact with the physical environment and emphasizes performance, reliability and safety. A general-purpose agent should not have a direct route to PLCs, DCS, SIS or engineering workstations.
If plant data is needed, publish a limited, read-only view through a customer-approved historian replica, API gateway or data service. Remove control methods, enforce rate limits and validate identifiers. Any later write workflow needs a separate hazard, cybersecurity and engineering assessment with deterministic interlocks outside the language model.
A technical pilot plan
- Threat-model one workflow and classify every source and proposed action.
- Deploy one agent in an isolated environment with no OT route and no write tools.
- Connect a curated read-only document index or API with scoped credentials.
- Create a test set including prompt injection, conflicting documents, missing sources and unauthorized requests.
- Measure source accuracy, task completion, blocked actions, unsafe suggestions and reviewer effort.
- Add one tightly scoped approval-based action only after the read-only boundary passes testing.
How to choose between them
Choose based on the workflow, security architecture, team skills and the exact current project capabilities. Both projects are changing quickly, so verify official documentation and release notes before designing a production deployment. A short sandbox evaluation with the same model, documents and controls is more useful than a generic feature checklist.
The manufacturing value comes from the governed workflow and industrial boundary. The agent framework is one replaceable component inside that system.




