AgentOS Watch
EN 中文
← All updates
2026-05-13 Risk note Risk

Hermes patches a subtle but serious safety rule: silence is not consent

Hermes PR #24923 fixes a clarify-tool timeout behavior that matters for anyone using agents around irreversible actions. The CLI callback previously told the model that, if the user did not answer in time, it should “use your best judgement to make the choice and proceed.” For permission-style questions, the PR notes that this can be interpreted as approval for destructive actions such as `rm -rf .git`. The fix changes timeout language to an explicit refusal and adds tool-description guidance so the model knows before asking. Around the same window, Hermes is also tightening operational edges: #24925 stops session_search from loading whole 800-message conversations when only FTS match windows are needed, #24927 tracks false failure classification when successful writes include diagnostics, #24928 strips inherited Python paths before terminal subprocesses on Windows, and #24930 repairs browser launch flags on root or AppArmor-restricted hosts.

ImpactRisk Sources3 Audienceoperator · developer · team
Why it matters

Approval UX is security infrastructure. A timeout that sounds harmless in a chat loop becomes a policy bug when the model treats it as user approval. This is a good reminder that agent safety depends on the exact words passed back into the model, not just on whether an approval tool exists.

Evidence
  • PR #24923 states that clarify timeouts returned “Use your best judgement to make the choice and proceed,” and changes this to an explicit refusal for destructive or irreversible actions
  • The PR adds regression coverage in tests/tools/test_clarify_tool.py and keeps gateway callback behavior separate from the CLI callback path
  • PR #24925 replaces full-conversation session_search loading with FTS5 match windows, citing 866-message sessions that can now load roughly 11 messages per match
  • Issue #24927 says successful write_file or patch results can be misclassified as failures when nested diagnostics contain error text
  • PRs #24928 and #24930 address Windows terminal Python environment leakage and browser --no-sandbox flag injection
Risk notes
  • The main clarify fix is still a PR, so deployments need to wait for merge or patch locally
  • Non-interactive oneshot behavior intentionally remains different, so operators should verify their exact entrypoint
  • Changing timeout semantics can make some workflows stop instead of proceed; that is safer, but may require clearer user prompts

Related reading

More updates touching the same products.

2026-05-15

Hermes’ workflow core arrives beside a URL-safety bypass fix and profile-scoped scheduled jobs

2026-05-15

Hermes adds structured HTTP and argv tools to escape the bash-quoting trap

2026-05-14

Hermes approval hardening closes a critical YOLO-mode bypass and exposes long-session failure modes