Hermes Agent connecting to MCP does not necessarily mean that you will leak your API Key, but only if you configure it according to the security perimeter. In the official security model, MCP stdio sub-processes only get filtered environment variables by default, and sensitive variables such as API keys, tokens, and secrets are not transmitted casually. The real danger is often that users write their own keys into MCP's env, headers, or overly broad tool permissions.
How to understand the security boundary
- Environment variable filtering: By default, only
PATH,HOME,USER, language, and terminal-related variables, as well asXDG_*. - Explicit env will be transmitted: the
envyou write in the MCP configuration will be passed to the server, so don't stuff irrelevant keys into it. - OAuth is more suitable for third-party login: v0.8.0 supports MCP OAuth 2.1 PKCE, which is suitable for services that require authorization.
- OSV scanning is not a panacea: it reduces the risk of malicious packets, but it can't tell if the tool is overprivileged.
How to match more stable
First, configure the least privilege key for each MCP server separately, and do not reuse the master account universal token. Second, use tools.include whitelists to limit the tools that can be called. Third, the file system MCP only points to the project directory and does not directly expose the entire home. Fourth, turn off or confirm the tools that can write, delete, send messages, place orders, and change permissions first.
If you are in a team environment, you should also look at Hermes Agent's gateway user allowlist, dangerous command approval, and Docker/SSH backend. MCP security is not a switch, but a set of boundaries: who can issue commands, what tools can do, where keys can access, and where the execution environment is.
Official open source address: https://github.com/NousResearch/hermes-agent; Official document entry: https://hermes-agent.nousresearch.com/.
