Shared agents need searchable tools and user-level access control
A new May 9 cluster shows OpenClaw and Hermes both moving past the single-user demo shape. OpenClaw PR #79823 adds Tool Search Code Mode: instead of pushing every OpenClaw, MCP, and client tool schema into the prompt, the model can search, describe, and call tools through one compact bridge while existing policy, approvals, logging, and loop detection remain in the call path. Hermes PR #22509 takes the shared-agent problem to Discord with Daimon: admins get host-level Hermes, regular users get a Docker-sandboxed agent with iteration caps, per-tool limits, tier-aware routing, and admin controls. Hermes RFC #21574 gives the user story behind it: multi-user gateways quickly need per-user memory, identity, and permissions, or one person can contaminate another user’s agent context. The companion toolset regression #22601 / PR #22608 is the operational warning: optional integrations must not accidentally remove core tools such as terminal, file, web, browser, vision, skills, delegation, cron, and memory.
The next bottleneck for agent systems is no longer only model quality. It is whether a shared agent can find the right tool without bloating prompts, call that tool through the right policy boundary, remember each user separately, and avoid giving casual users host-level power. These changes make the team/shared-agent transition concrete rather than theoretical.
- OpenClaw PR #79823 introduces a bundled tool-search-code-mode plugin, one compact `tool_search_code` bridge, structured fallback tools, and per-session cataloging across OpenClaw plugin tools, MCP tools, and client/app tools
- The OpenClaw PR explicitly says calls still resolve through existing tool implementation, hooks, policy, approvals, loop detection, and session logging instead of bypassing governance
- Hermes PR #22509 describes Daimon as a multi-user Discord bot tested in the Nous Research server, with admin/user tiers, Docker-backed terminal execution, per-tool limits, session caps, daily per-user limits, redaction, thread ownership, and admin commands
- Hermes RFC #21574 reports a real prompt-injection/memory-contamination story when multiple people used one Telegram gateway, motivating per-user agents, separated memory, identity, and permissions
- Hermes issue #22601 and PR #22608 document and fix a regression where mixing a composite toolset such as `hermes-cli` with an optional integration such as Spotify could make sessions lose native tools including terminal, file, web, browser, vision, skills, delegation, cron, and memory
- OpenClaw Tool Search Code Mode and Hermes Daimon are PR-stage at aggregation time, not tagged releases
- A code bridge for tool calling needs careful provider/model gating; teams that do not want executable snippets should use structured fallback tools
- Docker sandboxes and per-tool limits reduce blast radius but do not replace identity, memory, workspace, and approval isolation
- Toolset configuration fixes are easy to miss in staging because the failure can look like the model “forgot how to use tools” rather than a config expansion bug