Your Hermes Agent Is Leaking API Keys (10-Min Fix)

Added: 2026-05-23

[00:00:00]Hermes agent leaked my Fire crawl API key eight times in chat logs. I ran the audit and here it was Fire crawl API key in eight session transcript files.

[00:00:10]So the problem is that Hermes agent stores the API keys and secrets on disk in the dot ENV file in plain text. To be clear, this doesn't mean that there is anything wrong with Hermes or this approach if you're running a private instance. If you're doing a lot of scraping or social media crawling or email triage where your agent can get prompt injected, then it can become a problem. Like in this example, about 10 days ago this post went viral where you have this prompt injection text here and the agent probably Hermes or OpenClaw handed over all the API keys gladly.

[00:00:47]There are actually two different problems here. One is exposure, your key sitting in plain text on disk in the dot ENV file or the logs, and prompt injection. So malicious text on the internet that tricks your agent into giving out the keys. So to address the first issue, Immunos research just released an update for Hermes agent that allows you to integrate Bitwarden Secrets Manager directly with Hermes to move your secrets out of the ENV into Bitwarden Secrets Manager and to have one central place to manage those keys and you can rotate them easily. And that's why in this video I'm going to show you exactly how to set this up step-by-step from Bitwarden Secrets Manager to Hermes side and integrate it in 10 minutes. And once this is all finished, I will show you what this does not solve and how we can solve it with Agent Vault, which is going to be one of my next videos. So if you have not subscribed, feel free to do so and like the video if you find it useful or leave a comment if you have any issues or questions. To set up Bitwarden with Hermes agent, we're going to read the documentation in here. I'm going to leave everything in the description so you can easily access all this. And first thing is to update. If you have not updated. Just type and let it run for a few seconds. And then we are going to go into secrets manager and create a new project while this is running.

[00:02:09]First, we need to unlock the vault with the master password. If you don't have the account, you need to go to the secrets manager here. Let me just pull it up here so you can see. So, it's secrets manager, not password manager.

[00:02:22]If you already have a Bitwarden, you need to go to secrets manager, probably sign up for something, and so on. Make a new project. Make it Hermes keys.

[00:02:33]You can name it whatever you want.

[00:02:35]New secret.

[00:02:37]It's going to be Open Router API key.

[00:02:43]And then we are going to go to Open Router and create a new key.

[00:02:51]I'm going to nuke all these, so don't worry.

[00:02:56]Copy this and place it in the value section. And then we can project save.

[00:03:06]And then we'll go to machine accounts and create a new machine account.

[00:03:14]It can be It can be something like Hermes dev.

[00:03:23]Add Hermes keys to this one.

[00:03:26]Can read.

[00:03:28]And now you have the machine account.

[00:03:30]And then you will need the access token.

[00:03:34]You can set the expiration if you want.

[00:03:36]I'll leave it at never.

[00:03:39]And then you're going to copy this and leave it somewhere secure for the time being.

[00:03:48]And then we are going to go back to Hermes and then we're going to consult the documentation again. Hermes secrets before the setup.

[00:03:57]Go back here.

[00:03:58]I just pull it up so you can see.

[00:04:04]And we need to provide the access token that we just got. It will not show up so just press one here.

[00:04:11]And then we're going to test it.

[00:04:14]This one.

[00:04:18]And we can see that this is enabled and it has this access.

[00:04:22]It has the token.

[00:04:24]And we're going to do Hermes model here.

[00:04:31]And then you can see that this pulled from I don't have the open router API key just so you know.

[00:04:39]And then if we go to open router.

[00:04:45]And you can see that it's pulling from Bitwarden secrets manager applied one secret open router API key.

[00:04:52]And we want to keep. So just press enter here.

[00:04:57]And we can choose any model here.

[00:05:00]Whatever. Choose this one.

[00:05:04]And then we can type Hermes. It's pulling from the secrets manager as you can see here.

[00:05:11]Open router API key.

[00:05:14]We can just type hi to see if this works.

[00:05:17]And you can see applied one secret.

[00:05:20]Open router API key. So you can see how easy this was. Took us what? 5 minutes to set everything up. It's now using BWS as the key storage and if you want to add more you can just go back here to secrets and then add new secret and basically have all your keys stored in here and then you have one machine key which is this one and if you need to re-walk it, reset it, you can just do so from here without having to go to 15, 20 different providers and reset all those keys. So, from that standpoint, it's much easier to manage. But, my question now is, does this prevent prompt injection attacks or to what degree? And I will look into this further, but from what I've researched, Bitwarden retrieves the keys, but it also stores them in OS environment. So, it's essentially memory, not disk. So, I'm not sure the prompt injection attack is completely negated here. And if you go and compare it to something like Agent Vault, which is a broker, not just a retrieval system, the keys are not present at all.

[00:06:31]There is only a placeholder in the place of the keys, and it gets pulled on every request. Here, the keys go into the OS environment, so technically they are still present in raw form, just not on disk, which is a much bigger improvement, of course. Does it stop exfil on prompt injection? No, according to this research. If this is wrong, let me know in the comments or contact me, whatever. But, here, it does stop. There are no real secrets to leak.

[00:07:01]The central location for managing the keys is Bitwarden, and it's great for that, absolutely. The setup is 5 minutes, as you've seen.

[00:07:10]Here, it's 30 to 60 minutes, so much higher effort. Network dependencies on every call versus startup. And this is best for a single box, private box. You manage everything from one central place, and it's just easier for management.

[00:07:25]Here is for internet-exposed agents that are running dirty tasks on social media or scraping or email triage, so it's perfect for that use case. So, that wraps it up for this video. I will do more research on this and on the agent vault and how these two compare and in one of my next videos I'll show you how to set up agent vault so you can see for yourself is it worth the trade off of your time and complexity that it adds versus the security and isolation that it brings as well. If you have any questions leave it in the comments or feel free to connect on X or LinkedIn and thank you so much for watching.