Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

overthinkos/hermes

Name: hermes
Author: overthinkos

ov-images/skills/hermes/SKILL.md

npx skillsauth add overthinkos/overthink-plugins hermes

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Image: hermes

Full-featured standalone Hermes AI agent. No browser or desktop — designed for cross-container deployment alongside selkies-desktop (shared Chrome via BROWSER_CDP_URL) and jupyter (MCP notebooks via OV_MCP_SERVERS).

Definition

hermes:
  base: fedora
  layers:
    - agent-forwarding
    - hermes-full      # hermes + claude-code + codex + gemini + dev-tools + devops-tools + ov + tmux
    - dbus

Layer Stack

| Layer | Purpose | |-------|---------| | agent-forwarding | SSH + GPG agent forwarding into container | | hermes | AI agent with LLM auto-config, MCP, browser tools | | claude-code | Anthropic Claude Code CLI | | codex | OpenAI Codex CLI | | gemini | Google Gemini CLI | | dev-tools | bat, ripgrep, neovim, gh, direnv, fd-find, htop, podman-compose, etc. | | devops-tools | AWS CLI, Scaleway, kubectx/kubens, OpenTofu, wrangler, bind-utils, jq, rsync | | ov | Overthink CLI for in-container management | | tmux | Terminal multiplexer for persistent sessions | | dbus | D-Bus session bus |

Quick Start

ov image build hermes
ov config hermes -e OLLAMA_API_KEY=your-key   # or OPENROUTER_API_KEY
ov start hermes
ov shell hermes -c "hermes chat"

Configuration

The hermes entrypoint performs a single-phase, first-start-only auto-configuration of LLM providers and MCP servers. Guarded by # ov:auto-configured sentinel in config.yaml. To reconfigure: delete /opt/data/config.yaml and restart. API keys are synced to .env on every start (handles rotation).

LLM provider based on which env var is set:

| Priority | Env var | Provider | Default model | |----------|---------|----------|---------------| | 1 | OLLAMA_HOST | Local Ollama | qwen2.5-coder:32b | | 2 | OLLAMA_API_KEY | Ollama Cloud | kimi-k2.5:cloud | | 3 | OPENROUTER_API_KEY | OpenRouter | qwen/qwen3.6-plus:free |

Override the default model with HERMES_MODEL env var. Additional env_accepts:

| Variable | Description | |----------|-------------| | TELEGRAM_BOT_TOKEN | Telegram bot token for messaging | | SLACK_BOT_TOKEN | Slack bot token | | DISCORD_BOT_TOKEN | Discord bot token |

# Ollama Cloud
ov config hermes -e OLLAMA_API_KEY=your-key

# OpenRouter with custom model
ov config hermes -e OPENROUTER_API_KEY=sk-or-xxx -e HERMES_MODEL=google/gemini-2.5-flash

# Local Ollama (OLLAMA_HOST auto-injected by ov config ollama --update-all)
ov config hermes

# Or via .env file in the data volume
ov shell hermes -c "vi /opt/data/.env"

The data volume (/opt/data) persists: sessions, skills, memories, logs, config, and .env.

Cross-Container Service Discovery

Deploy alongside provider containers for full functionality:

# 1. Deploy selkies-desktop (provides BROWSER_CDP_URL)
ov config selkies-desktop
ov start selkies-desktop

# 2. Deploy jupyter (provides jupyter MCP server)
ov config jupyter --update-all
ov start jupyter

# 3. Deploy hermes (consumes both)
ov config hermes -e OLLAMA_API_KEY=... --update-all
ov start hermes

Hermes receives:

BROWSER_CDP_URL=http://ov-selkies-desktop:9222 — controls desktop Chrome
OV_MCP_SERVERS=[{"name":"jupyter","url":"http://ov-jupyter:8888/mcp"},{"name":"chrome-devtools","url":"http://ov-selkies-desktop:9224/mcp"}] — notebook manipulation + browser DevTools MCP

MCP Server Discovery

When co-deployed with services that declare mcp_provides (e.g., jupyter), hermes auto-discovers and connects to their MCP servers at first start. The OV_MCP_SERVERS JSON env var is injected by ov config and the entrypoint writes the servers into config.yaml under mcp_servers:.

# Verify MCP connection
ov shell hermes -c "hermes mcp list"                    # Shows registered servers
ov shell hermes -c "hermes mcp test jupyter"      # Tests connection (expects 13 tools)

Key Layers

/ov-layers:hermes-full — Metalayer composition details
/ov-layers:hermes — Core agent (env_accepts, browser dispatch, LLM config)
/ov-layers:chrome — Provides BROWSER_CDP_URL (from selkies-desktop)
/ov-layers:chrome-devtools-mcp — Chrome DevTools MCP server on port 9224 (from selkies-desktop)

Related Images

/ov-images:hermes-playwright — Hermes with local Playwright Chromium
/ov-images:selkies-desktop — Desktop with Chrome (cross-container browser provider)
/ov-images:jupyter — JupyterLab with MCP (cross-container MCP provider)

Verification

ov status hermes
ov service status hermes                    # hermes: RUNNING
ov shell hermes -c "hermes --version"
ov shell hermes -c "claude --version"
ov shell hermes -c "codex --version"
ov shell hermes -c "gemini --version"
ov shell hermes -c "ov version"
ov shell hermes -c "echo BROWSER_CDP_URL=\$BROWSER_CDP_URL"
ov shell hermes -c "echo OV_MCP_SERVERS=\$OV_MCP_SERVERS"
ov shell hermes -c "hermes mcp list"              # Should show chrome-devtools, jupyter

Test Coverage

Latest ov test hermes run: 50 passed, 0 failed, 0 skipped. Covers all 4 AI CLIs at ${HOME}/.npm-global/bin/{claude,codex,gemini}

pixi's hermes at ${HOME}/.pixi/envs/default/bin/hermes, plus dev-tools (rg, bat, gh, fastfetch, nvim, htop) and devops-tools (aws, scw, kubectx, kubens, tofu, jq). Deploy-scope: pipewire + hermes services up, /opt/data volume mounted. Uses supervisorctl pid for liveness (hermes-whatsapp is autostart=false — see /ov:test Gotcha #4).

Related Skills

/ov-layers:hermes-full, /ov-layers:hermes, /ov-layers:claude-code, /ov-layers:codex, /ov-layers:gemini, /ov-layers:dev-tools, /ov-layers:devops-tools
/ov:test — declarative testing framework + supervisord gotchas
/ov:config — OV_MCP_SERVERS auto-discovery + secret provisioning
/ov:mcp — verify each MCP server in OV_MCP_SERVERS is actually alive before debugging hermes tool-call failures; ov test mcp list-tools <provider-image> shows exactly what hermes will see
/ov-images:selkies-desktop — companion for shared browser (CDP)
/ov-images:jupyter — MCP notebook tools auto-discovered

When to Use This Skill

MUST be invoked before building, deploying, configuring, or troubleshooting the hermes image.

/ov:image — image family umbrella (image: entries in overthink.yml, build/validate/inspect/list)
/ov:build — build.yml vocabulary (distros, builders, init-systems)

overthinkos/hermes

ov-images/skills/hermes/SKILL.md

Full-featured standalone Hermes AI agent with AI CLIs, dev tools, DevOps tools, and ov. MUST be invoked before building, deploying, configuring, or troubleshooting the hermes image.

tools

Updated Apr 24, 2026

$ install --global

skillsauth

npx skillsauth add overthinkos/overthink-plugins hermes

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 2:24 PM153.0s1 file scanned

SKILL.md

name:: hermes
description:: |

Image: hermes

Definition

hermes:
  base: fedora
  layers:
    - agent-forwarding
    - hermes-full      # hermes + claude-code + codex + gemini + dev-tools + devops-tools + ov + tmux
    - dbus

Layer Stack

Quick Start

ov image build hermes
ov config hermes -e OLLAMA_API_KEY=your-key   # or OPENROUTER_API_KEY
ov start hermes
ov shell hermes -c "hermes chat"

Configuration

LLM provider based on which env var is set:

Override the default model with HERMES_MODEL env var. Additional env_accepts:

| Variable | Description | |----------|-------------| | TELEGRAM_BOT_TOKEN | Telegram bot token for messaging | | SLACK_BOT_TOKEN | Slack bot token | | DISCORD_BOT_TOKEN | Discord bot token |

# Ollama Cloud
ov config hermes -e OLLAMA_API_KEY=your-key

# OpenRouter with custom model
ov config hermes -e OPENROUTER_API_KEY=sk-or-xxx -e HERMES_MODEL=google/gemini-2.5-flash

# Local Ollama (OLLAMA_HOST auto-injected by ov config ollama --update-all)
ov config hermes

# Or via .env file in the data volume
ov shell hermes -c "vi /opt/data/.env"

The data volume (/opt/data) persists: sessions, skills, memories, logs, config, and .env.

Cross-Container Service Discovery

Deploy alongside provider containers for full functionality:

# 1. Deploy selkies-desktop (provides BROWSER_CDP_URL)
ov config selkies-desktop
ov start selkies-desktop

# 2. Deploy jupyter (provides jupyter MCP server)
ov config jupyter --update-all
ov start jupyter

# 3. Deploy hermes (consumes both)
ov config hermes -e OLLAMA_API_KEY=... --update-all
ov start hermes

Hermes receives:

BROWSER_CDP_URL=http://ov-selkies-desktop:9222 — controls desktop Chrome
OV_MCP_SERVERS=[{"name":"jupyter","url":"http://ov-jupyter:8888/mcp"},{"name":"chrome-devtools","url":"http://ov-selkies-desktop:9224/mcp"}] — notebook manipulation + browser DevTools MCP

MCP Server Discovery

# Verify MCP connection
ov shell hermes -c "hermes mcp list"                    # Shows registered servers
ov shell hermes -c "hermes mcp test jupyter"      # Tests connection (expects 13 tools)

Key Layers

/ov-layers:hermes-full — Metalayer composition details
/ov-layers:hermes — Core agent (env_accepts, browser dispatch, LLM config)
/ov-layers:chrome — Provides BROWSER_CDP_URL (from selkies-desktop)
/ov-layers:chrome-devtools-mcp — Chrome DevTools MCP server on port 9224 (from selkies-desktop)

Related Images

/ov-images:hermes-playwright — Hermes with local Playwright Chromium
/ov-images:selkies-desktop — Desktop with Chrome (cross-container browser provider)
/ov-images:jupyter — JupyterLab with MCP (cross-container MCP provider)

Verification

ov status hermes
ov service status hermes                    # hermes: RUNNING
ov shell hermes -c "hermes --version"
ov shell hermes -c "claude --version"
ov shell hermes -c "codex --version"
ov shell hermes -c "gemini --version"
ov shell hermes -c "ov version"
ov shell hermes -c "echo BROWSER_CDP_URL=\$BROWSER_CDP_URL"
ov shell hermes -c "echo OV_MCP_SERVERS=\$OV_MCP_SERVERS"
ov shell hermes -c "hermes mcp list"              # Should show chrome-devtools, jupyter

Test Coverage

Latest ov test hermes run: 50 passed, 0 failed, 0 skipped. Covers all 4 AI CLIs at ${HOME}/.npm-global/bin/{claude,codex,gemini}

pixi's hermes at ${HOME}/.pixi/envs/default/bin/hermes, plus dev-tools (rg, bat, gh, fastfetch, nvim, htop) and devops-tools (aws, scw, kubectx, kubens, tofu, jq). Deploy-scope: pipewire + hermes services up, /opt/data volume mounted. Uses supervisorctl pid for liveness (hermes-whatsapp is autostart=false — see /ov:test Gotcha #4).

Related Skills

/ov-layers:hermes-full, /ov-layers:hermes, /ov-layers:claude-code, /ov-layers:codex, /ov-layers:gemini, /ov-layers:dev-tools, /ov-layers:devops-tools
/ov:test — declarative testing framework + supervisord gotchas
/ov:config — OV_MCP_SERVERS auto-discovery + secret provisioning
/ov:mcp — verify each MCP server in OV_MCP_SERVERS is actually alive before debugging hermes tool-call failures; ov test mcp list-tools <provider-image> shows exactly what hermes will see
/ov-images:selkies-desktop — companion for shared browser (CDP)
/ov-images:jupyter — MCP notebook tools auto-discovered

When to Use This Skill

MUST be invoked before building, deploying, configuring, or troubleshooting the hermes image.

/ov:image — image family umbrella (image: entries in overthink.yml, build/validate/inspect/list)
/ov:build — build.yml vocabulary (distros, builders, init-systems)

Related Skills

overthinkos/charly

tools

VerifiedTrustedCommunity

OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-cachyos

development

VerifiedTrustedCommunity

Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-cachyos

overthinkos/charly-fedora

tools

VerifiedTrustedCommunity

Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-fedora

overthinkos/charly-arch

tools

VerifiedTrustedCommunity

Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-arch

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/overthinkos/overthink-plugins.git

# Copy into Claude Code skills folder (global)
cp -r overthink-plugins/ov-images/skills/hermes ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

overthinkos/overthink-plugins

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT