Hermes just mass emailed a bunch of accounts from 2020 with pairing requests.
Posted by lickonmybbc@reddit | LocalLLaMA | View on Reddit | 61 comments
Hermes email integration is a bidirectional chat channel, not an inbox reader. if you connect it expecting to solely read your emails, it could instead treat every email sender as a stranger trying to dm your bot and reply to them with a pairing code.
I wanted Hermes to skim my inbox and surface job leads. I already had the python script ready and working fine. I figured hey I can have Hermes summarize this on Telegram easily.
things it sent from my Gmail, to actual humans and automated senders:
'''Hi\~ I don't recognize you yet! Here's your pairing code: _____ Ask the bot owner to run: hermes pairing approve email _______
Too many pairing requests right now\~ Please try again later!
''''
Interrupting current task. I'll respond to your message shortly.
the third one was its response to me trying to stop it, which it then emailed to whoever it was mid-pairing with. beautiful.
FullstackSensei@reddit
Can someone explain to my smooth brained self why anyone needs a cloud based tool to send/write/delete emails? I'm not even discussing the security implications of granting 3rd parties access to your email.
I'm pretty sure 7B models from over a year ago can write a python script that provides read-only access to your email via pop3/imap. I'm also pretty sure the same models from 6 months ago can write you an MCP to do the same.
Also, isn't this r/LocalLLaMA?
Yorn2@reddit
I have an openclaw-created setup that takes messages from text, email, and etc. from my non-tech parents and creates actual calendar (ICS) invites that it sends me over email and I then approve to be added to my calendar. I can even choose to invite the person texting/emailing me to the event as well or choose the people they mention in the message to be added to the event. The great things is it's a tool created by my openclaw and it doesn't do any inference based on the email or text itself, it delegates that to a small 1B model that is trained to only handle these kinds of texts/emails. Again, trained by my openclaw for me to use for this specific use case. I know a lot of people on this sub hate openclaw, but if you are using these tools for anything, it should be for creating even better tools to automate specific tasks for you, not for automating it directly. These things are programmers, not personal assistants, have them program tools to make your life easier, not try to make your life easier for you.
FullstackSensei@reddit
Cool use case, seriously! but what was exactly openclaw's contribution here? For such relatively simple tasks, a straight prompt to the LLM would have given you the same result, no? The programmer is the LLM, not the tool used to invoke it.
The hate for Openclaw and similar tools stems from them requiring full direct access to the entire system plus a lot of personal/sensitive information.
Yorn2@reddit
I don't know how to train models myself. Or well, I do, but it reduced the timeframe significantly. The whole point was NOT to send untrusted data straight to an LLM that could actually do anything with it. I needed it to train a model that was so specialized it could only create ICS files.
For what it is worth though, there's a website hackmyclaw.com that shows that if there is a way to remotely hack openclaw via email, it's not so easy that people are doing it actively.
Also, I don't use cloud models, so maybe this doesn't fit your exact question, everything I've made has been created using Minimax M2.5 or M2.7. I do run my homelab as a "cloud" though.
FullstackSensei@reddit
I understood the model training part from your original comment. My question is how did openclaw facilitate this vs asking the same LLM powering Openclaw to create a python script to generate training data and train the model.
ICS is a simple text format where a simple python script can generate thousands of examples without any LLM using a simple list of names and random values for dates, etc. The fine tuning script is also something pretty much any model from the past year knows how to spit out, be it with Pytorch or easier frameworks like HF or unsloth.
Yorn2@reddit
Everyone always asks this without having ever used openclaw or hermes or any of these solutions that not only program but build the scaffolding for it.
Do you know how to train a brand new model from scratch? Doesn't matter, you can ask openclaw to do it for you. That's basically what I did. I kind of knew, but now not only do I know now how it works, but openclaw built everything for me. It even provisioned the VM for me. Do you still provision your own VMs? Still running apt-get? Still moving your ssh keys by hand? I'm not and haven't been since I got openclaw set up and had it build the scaffolding to do it all for me.
FullstackSensei@reddit
Yes, I provision my own VMs and make my own backups, because I need certainty, especially with backups.
Good for you that you're doing all these things via openclaw. I guess you're fine with the risk of your SSH keys getting leaked, or the backup you think you had can't be restored or doesn't have the info you need.
I don't outsource my own infrastructure to an LLM for the same reason I don't outsource it to any 3rd party. I need to have certainty that it's there, that it works, and that it's secure. The countless security issues with open claw, the countless attack vectors, and the countless horror stories of LLM's running in openclaw deleting or saying things were done when they weren't is more than enough for me not to trust it.
I'm not against LLMs, nor using them for automation. Just last week Qwen did most of the heavy lifting in setting up two build systema to build custom Linux images for two embedded boards. I didn't give it filesystem access on purpsoe, because: 1) I want to learn and understand what's happening, and 2) I want to know for sure it's not going to do anything that would mess up anything in my homelab.
You do you. All I'm saying is: I, personally, do not want to outsource the things I don't know or understand to an LLM.
Yorn2@reddit
So a few things:
Look at this from my perspective. First you ask what can Openclaw actually do. I give an example. You ask me what is Openclaw REALLY doing and then I tell you and now you say "Well I would NEVER let an AI do THAT!". It's partially why I can't take this sub seriously anymore. Are we really using Local LLMs on this sub or not?
And if you aren't managing your homelab with a Local LLM driven agent, why not? Yes, seriously, I'm asking the question. A year ago if I botched a script or command line task and it rm -rf'd any of my VM drives I'd have probably been screwed because my backups were kind of shit. My backups were the first thing I had Openclaw help me fix because I had sat on my ass not wanting to actually implement any backup testing or scripting. Now I can have it kill a random VM right now and it can restore it. Well, except for one of my VMs, but eventually I'll have more live backups. I then removed openclaw's access to anything backup-related. I had it work on network stuff and shoring that up, now I have a script I can activate from my phone if I want it to have access to that. Guess what built that script?
I mean, to each their own, but you CAN control what it has sudo access to do. If there's some task you've been dreading working on in your homelab, even if you don't want to use hermes or openclaw you could probably build a pi agent to do some form of it. Then you can point it manually at the next task you want to work on and take away its access again.
I guess the problem is that no one really sees the value of a tool till they set it up and use it and then they realize a few months later there's no way in hell they'd give it up. When my Openclaw broke a few weeks ago I was devastated. Not because I cared about an "AI" but because I was in the middle of working on an n8n setup for a client and Openclaw was even building my n8n workflows for me. I don't know what the Neo-Luddite drive in this sub is against local agents running on local LLMs, but it doesn't make sense to me.
FullstackSensei@reddit
You have told me a lot about what you have done using Openclaw but, to me at least, all of that was done by the capabilities of the underlying LLM. The only thing I can see openclaw adding here is automated execution (which comes from pi). I+I've watched a few hours of Mario Zeichner talking about pi, which I think is cool. I've yet to understand what is openclaw adding on top, because if your LLM can execute bash, it can do pretty much anything.
One of the biggest issues I have with Openclaw is that it's obscuring what's happening, turning the actions into a sort of black box you have no observability over, much less control. I read an article that a sizeable portion of Openclaw skills contianed prompt injections. So, even if you aren't exposing it to the internet directly, if you use skills you're one curl | bash away from executing a malicious script.
I read a lot of comments like yours about what people have done with openclaw, but no explanation why this couldn't have been done with the same LLM without Openclaw. At the same time, I read a ton about the security issues with it, but can't find much about how to run it safely, if that's possible at all.
Yorn2@reddit
Yes. I did all the above without copying and pasting. Again, you can build in the controls. It will build the controls for you. At the end of the day I'm way more productive with it than without it. Maybe I could get the same sort of stuff done with Opencode, but Openclaw builds its own scaffolding, and I have a suspicions software like Opencode and Claudecode and Openclaw are going to become virtually indistinguishable from each other in the near future. For one, Opencode just recently patched in so many security features that by default it basically cannot do anything on the local network. My guess is that over time Openclaw is going to become more security-driven, and Opencode and Claude Code will become more self-improving.
JChataigne@reddit
Not OP but I recently started using Hermes. Regarding security issues, I isolate it in its container, and gave it its own calendar to update by itself (I can also access it, but there's no risk for Hermes to erase events I manually set for myself).
The advantage is how much it simplifies things. I pasted the calendar URL and credentials in a telegram chat, told Hermes to create a skill to manage it, and it was done. Now in the same chat I can, for example, take a picture of a concert poster and tell Hermes to make it en event in the calendar.
On the convenience side, it groups many functions in one interface. Maybe I'm not up-to-date with LLM chat interfaces, but currently it's difficult to do outside of vendor-provided integrations (like, you can connect your Google calendar, but mine is self-hosted on nextcloud, so not supported). Also on the programming side, the model did a few turns of back-and-forth by itself (I used a small model that couldn't one-shot the task), it created the skill without any other input from me.
WoodCreakSeagull@reddit
Hermes is a harness you can plug any LLM into, including locally hosted ones. I'm testing it out myself to make a "virtual employee" with its own email that it can read and gradually add to a growing knowledge base with the other data I give it, and eventually when I feel comfortable I might even allow it to reply.
As to why? In the future to have others potentially communicate with it via email, sending documents etc. that it will be able to slot into its existing workflows. It's experimental but so is just about everything right now.
needlzor@reddit
Are you documenting your test in any way? I've been thinking about building something similar, except more as a virtual intern, because of lack of funding (I'm an academic).
assotter@reddit
I'm glad I setup my own email just for Hermes. My e-mail account hasn't deleted ANY messages since 2003ish (whenever Gmail was doing the invite only test for Gmail accounts). Since im sure I will be asked, the reason I don't delete emails is because as a kid I liked the idea of having a having a 100% archive of every message I can go back too. As an adult its proven invaluable for a multitude of reasons.
Cupakov@reddit
Wait, people delete emails?
Vivid_Fan9346@reddit
I don't even read them; so no need to delete them
balder1993@reddit
I delete mostly from mail lists.
IrisColt@reddit
Same but back to 1996 (not Gmail, heh).
xrvz@reddit
I finally gave in and started deleting emails that contain 2FA codes.
lickonmybbc@reddit (OP)
a dedicated account is the right call. have you any any issues with Hermes reading your inbox with your use case? I also really appreciate the hoarding, there's something moving about having this digital evidence of a life lived
ObsidianNix@reddit
I only did read only. Sending emails is more dangerous.
abitrolly@reddit
Hermes doing its Greek thing. Classic.
relentlesshack@reddit
This is the kind of stuff I live for on this sub. We have to know how these things fail to know what needs to be designed better.
ambient_temp_xeno@reddit
'Nous Hermes' and 'access to your email' what could possibly go wrong?
Dry_Yam_4597@reddit
hmmm interesting, what is the issue with nous hermes?
ambient_temp_xeno@reddit
It's like getting TheBloke to do your taxes and having Unsloth walk your dogs.
ambient_temp_xeno@reddit
(the bloke was never seen again, unsloth would bring the wrong dog back and keep replacing it with a better match over the course of a week)
rinmperdinck@reddit
Dog would come back extremely fat and unsloth would be like, "this is the XL version"
zdy132@reddit
Mysteriously, the new dog would still perform the tricks of your old dog, not as good, but close enough.
Dry_Yam_4597@reddit
I think the whole idea of an open agent is for people to customize it as they see fit. I don't know how we ended in a world where people think an open source tool _must_ do exactly what they want. Not being negative or dismissive, but you know, people should rip it apart and mold it according to what they need.
aichiusagi@reddit
Graphic design is their passion.
Dry_Yam_4597@reddit
It does seem like.
ObsidianNix@reddit
The issue is that they used it correctly. Just didn’t set it up correctly
Dry_Yam_4597@reddit
Yes but I was curious if there was something specific about nous hermes - I like their products and ideas, and was worried it might be yet another AI bro company that does some dodgy stuff.
ObsidianNix@reddit
Nope. It’s called a harness. It’s tools for an LLM to use. Hermes makes no decisions, the llm does.
They actually make LLMs, train them and do research; so they understand more on how they work than a typical AI bro. They even partnered with other LLM providers and ask users not to used their AI as they know their AI was not trained for tool use.
Dry_Yam_4597@reddit
You are missing the point - users should define what tools it has at its disposal, not the LLM. You can't throw things at it and expect it to just behave. Not even humans do it. Some use knifes for bad stuff others to cook meals. Others are too young to use knifes securely - such as LLMs are now.
russjr08@reddit
In the context of Hermes the agent harness, you do define what tools it has via its "skills" system - OP would've explicitly configured email if it has access to their emails
Dry_Yam_4597@reddit
Well not that I blame OP, these are new tools and concepts, but people really need to spend more time getting to know these things.
ObsidianNix@reddit
Definitely. I mean that has been stated for a while; not only will it confuse the LLM but it will also take up a huge amount of tokens providing all the tools available and having the LLM choose what it needs. That’s why the whole MCP, AGENTS,SKILLS things got popular. Not only will you be able to provide more concise tools with more options (I.e. Hammers>> BallPointHammer/GeneralHammer/Mallet/etc/) as well as instructions to when and how to use those tools.
Now takes that into consideration, it’s still a lot of tokens but that’s why everyone who is training LLM are trying to get data back on how people use this in order to train their LLMs how to use there harnesses and when to call the tools. Aka, structure. (And why Nous asks people not to use their agents as they have not been trained on tools)
Dry_Yam_4597@reddit
Makes sense - but until sufficient usage data is collected we can't treat these tools as reliable. We are getting there, but one needs to take things with a pinch of salt.
Heck we don't even give humans access to everything let alone nondeterministic tools. Even deterministic tools such as scripts are restricted in what they can access. Mistakes happen.
No_Afternoon_4260@reddit
It's part of that new breed of agent, that does everything including what you don't ask for
Dry_Yam_4597@reddit
Gotcha - thing are evolving fast though.
aichiusagi@reddit
Graphic design is their passion.
relentlesshack@reddit
I would think that folks would do read only Ms graph api calls instead of this raw dogging of their digital life.
lickonmybbc@reddit (OP)
yeah this is the real lesson. in retrospect i can't think of any real use case in which you'd need full SMTP functionality. staying read-only now
lickonmybbc@reddit (OP)
I gotta put it to you, I checked the logs, and though 18 successfully sent, 80 emails were actually sent over the course of 6 minutes, luckily most failing with a 535. lesson learned
TallyMay@reddit
What an elaborate way to contact your ex
ebolathrowawayy@reddit
ITT script kiddies for miles and miles.
ebolathrowawayy@reddit
cool dont use retard infra? duh.
doodlesmalone@reddit
There is separate Google Workspace skill that you can use to read emails from your personal account.
This email integration you used is for its messaging gateway, and should be used with a dedicated email account. It is indicated in the documentation but I think it's better to make it clearer in that page that you should not be receiving any other mails for this address. Meaning, it's a unique address that only you know and can send to because it acts as your agent's mailbox.
ayylmaonade@reddit
I'm not sure why you wouldn't just be using the built in Himalaya skill for emails so this doesn't happen, lol.
laffer1@reddit
The directions say to make a new email account for it
cmenke1983@reddit
This is hilarious and at the same time i feel so sorry for you!
a_beautiful_rhind@reddit
AIs get their own accounts for everything. Would you give your personal email to some intern to manage?
ab2377@reddit
so what's hermes email integration?
xXG0DLessXx@reddit
Personally I use OpenClaw (used it before Hermes agent was even a thing) and I did connect email, except I had it create its own email plugin which uses app specific passwords for easy setup, and also gave its own email address. Like a secretary. I just forward emails that I want it to look at for me to it that way. And it can reply using cc, bcc, etc. it even can send html emails like newsletters and stuff if needed.
deejeycris@reddit
I had something similar with the signal gateway. It started spamming my contacts. Embarassing. I switched to pi, at least it's going to be my AI slop not somebody else's.
nerdlord420@reddit
Use the himalaya skill instead? If you hook your email up as a channel, you should probably understand what that means.
lickonmybbc@reddit (OP)
himalaya skill is a good suggestion, you're right, the docs say it pretty clearly, which i skimmed over. i know now i'm not in fact built different
k0zakinio@reddit
Heh I got the same when I connected my Gmail account up to it too. I swiftly removed it and have since just gone back to ole telegram
jacek2023@reddit