Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

overthinkos/hermes

Name: hermes
Author: overthinkos

ov-hermes/skills/hermes/SKILL.md

npx skillsauth add overthinkos/overthink-plugins hermes

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Image: hermes

Full-featured standalone Hermes AI agent. No browser or desktop — designed for cross-container deployment alongside selkies-desktop (shared Chrome via BROWSER_CDP_URL) and jupyter (MCP notebooks via OV_MCP_SERVERS).

Definition

hermes:
  base: fedora
  layers:
    - agent-forwarding
    - hermes-full      # hermes + claude-code + codex + gemini + dev-tools + devops-tools + ov + tmux
    - dbus

Layer Stack

| Layer | Purpose | |-------|---------| | agent-forwarding | SSH + GPG agent forwarding into container | | hermes | AI agent with LLM auto-config, MCP, browser tools | | claude-code | Anthropic Claude Code CLI | | codex | OpenAI Codex CLI | | gemini | Google Gemini CLI | | dev-tools | bat, ripgrep, neovim, gh, direnv, fd-find, htop, podman-compose, etc. | | devops-tools | AWS CLI, Scaleway, kubectx/kubens, OpenTofu, wrangler, bind-utils, jq, rsync | | ov | Overthink CLI for in-container management | | tmux | Terminal multiplexer for persistent sessions | | dbus | D-Bus session bus |

Quick Start

ov image build hermes
ov config hermes -e OLLAMA_API_KEY=your-key   # or OPENROUTER_API_KEY
ov start hermes
ov shell hermes -c "hermes chat"

Configuration

The hermes entrypoint performs a single-phase, first-start-only auto-configuration of LLM providers and MCP servers. Guarded by # ov:auto-configured sentinel in config.yaml. To reconfigure: delete /opt/data/config.yaml and restart. API keys are synced to .env on every start (handles rotation).

LLM provider based on which env var is set:

| Priority | Env var | Provider | Default model | |----------|---------|----------|---------------| | 1 | OLLAMA_HOST | Local Ollama | qwen2.5-coder:32b | | 2 | OLLAMA_API_KEY | Ollama Cloud | kimi-k2.5:cloud | | 3 | OPENROUTER_API_KEY | OpenRouter | qwen/qwen3.6-plus:free |

Override the default model with HERMES_MODEL env var. Additional env_accepts:

| Variable | Description | |----------|-------------| | TELEGRAM_BOT_TOKEN | Telegram bot token for messaging | | SLACK_BOT_TOKEN | Slack bot token | | DISCORD_BOT_TOKEN | Discord bot token |

# Ollama Cloud
ov config hermes -e OLLAMA_API_KEY=your-key

# OpenRouter with custom model
ov config hermes -e OPENROUTER_API_KEY=sk-or-xxx -e HERMES_MODEL=google/gemini-2.5-flash

# Local Ollama (OLLAMA_HOST auto-injected by ov config ollama --update-all)
ov config hermes

# Or via .env file in the data volume
ov shell hermes -c "vi /opt/data/.env"

The data volume (/opt/data) persists: sessions, skills, memories, logs, config, and .env.

Cross-Container Service Discovery

Deploy alongside provider containers for full functionality:

# 1. Deploy selkies-desktop (provides BROWSER_CDP_URL)
ov config selkies-desktop
ov start selkies-desktop

# 2. Deploy jupyter (provides jupyter MCP server)
ov config jupyter --update-all
ov start jupyter

# 3. Deploy hermes (consumes both)
ov config hermes -e OLLAMA_API_KEY=... --update-all
ov start hermes

Hermes receives:

BROWSER_CDP_URL=http://ov-selkies-desktop:9222 — controls desktop Chrome
OV_MCP_SERVERS=[{"name":"jupyter","url":"http://ov-jupyter:8888/mcp"},{"name":"chrome-devtools","url":"http://ov-selkies-desktop:9224/mcp"}] — notebook manipulation + browser DevTools MCP

MCP Server Discovery

When co-deployed with services that declare mcp_provides (e.g., jupyter), hermes auto-discovers and connects to their MCP servers at first start. The OV_MCP_SERVERS JSON env var is injected by ov config and the entrypoint writes the servers into config.yaml under mcp_servers:.

# Verify MCP connection
ov shell hermes -c "hermes mcp list"                    # Shows registered servers
ov shell hermes -c "hermes mcp test jupyter"      # Tests connection (expects 11 tools, post-2026-05-06 surface)

Key Layers

/ov-hermes:hermes-full-layer — Metalayer composition details
/ov-hermes:hermes — Core agent (env_accepts, browser dispatch, LLM config)
/ov-selkies:chrome — Provides BROWSER_CDP_URL (from selkies-desktop)
/ov-selkies:chrome-devtools-mcp — Chrome DevTools MCP server on port 9224 (from selkies-desktop)

Related Images

/ov-hermes:hermes-playwright — Hermes with local Playwright Chromium
/ov-selkies:selkies-desktop — Desktop with Chrome (cross-container browser provider)
/ov-jupyter:jupyter — JupyterLab with MCP (cross-container MCP provider)

Verification

ov status hermes
ov service status hermes                    # hermes: RUNNING
ov shell hermes -c "hermes --version"
ov shell hermes -c "claude --version"
ov shell hermes -c "codex --version"
ov shell hermes -c "gemini --version"
ov shell hermes -c "ov version"
ov shell hermes -c "echo BROWSER_CDP_URL=\$BROWSER_CDP_URL"
ov shell hermes -c "echo OV_MCP_SERVERS=\$OV_MCP_SERVERS"
ov shell hermes -c "hermes mcp list"              # Should show chrome-devtools, jupyter

Test Coverage

Latest ov eval live hermes run: 50 passed, 0 failed, 0 skipped. Covers all 4 AI CLIs at ${HOME}/.npm-global/bin/{claude,codex,gemini}

pixi's hermes at ${HOME}/.pixi/envs/default/bin/hermes, plus dev-tools (rg, bat, gh, fastfetch, nvim, htop) and devops-tools (aws, scw, kubectx, kubens, tofu, jq). Deploy-scope: pipewire + hermes services up, /opt/data volume mounted. Uses supervisorctl pid for liveness (hermes-whatsapp is autostart=false — see /ov-build:eval Gotcha #4).

Related Skills

/ov-hermes:hermes-full-layer, /ov-hermes:hermes, /ov-coder:claude-code, /ov-coder:codex, /ov-coder:gemini, /ov-coder:dev-tools, /ov-coder:devops-tools
/ov-build:eval — declarative testing framework + supervisord gotchas
/ov-core:config — OV_MCP_SERVERS auto-discovery + secret provisioning
/ov-build:mcp — verify each MCP server in OV_MCP_SERVERS is actually alive before debugging hermes tool-call failures; ov eval mcp list-tools <provider-image> shows exactly what hermes will see
/ov-selkies:selkies-desktop — companion for shared browser (CDP)
/ov-jupyter:jupyter — MCP notebook tools auto-discovered

When to Use This Skill

MUST be invoked before building, deploying, configuring, or troubleshooting the hermes image.

/ov-build:image — image family umbrella (image: entries in overthink.yml, build/validate/inspect/list)
/ov-build:build — build.yml vocabulary (distros, builders, init-systems)

overthinkos/hermes

ov-hermes/skills/hermes/SKILL.md

Full-featured standalone Hermes AI agent with AI CLIs, dev tools, DevOps tools, and ov. MUST be invoked before building, deploying, configuring, or troubleshooting the hermes image.

tools

Updated May 7, 2026

$ install --global

skillsauth

npx skillsauth add overthinkos/overthink-plugins hermes

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 7, 2026, 5:46 AM127.1s1 file scanned

SKILL.md

name:: hermes
description:: |

Image: hermes

Definition

hermes:
  base: fedora
  layers:
    - agent-forwarding
    - hermes-full      # hermes + claude-code + codex + gemini + dev-tools + devops-tools + ov + tmux
    - dbus

Layer Stack

Quick Start

ov image build hermes
ov config hermes -e OLLAMA_API_KEY=your-key   # or OPENROUTER_API_KEY
ov start hermes
ov shell hermes -c "hermes chat"

Configuration

LLM provider based on which env var is set:

Override the default model with HERMES_MODEL env var. Additional env_accepts:

| Variable | Description | |----------|-------------| | TELEGRAM_BOT_TOKEN | Telegram bot token for messaging | | SLACK_BOT_TOKEN | Slack bot token | | DISCORD_BOT_TOKEN | Discord bot token |

# Ollama Cloud
ov config hermes -e OLLAMA_API_KEY=your-key

# OpenRouter with custom model
ov config hermes -e OPENROUTER_API_KEY=sk-or-xxx -e HERMES_MODEL=google/gemini-2.5-flash

# Local Ollama (OLLAMA_HOST auto-injected by ov config ollama --update-all)
ov config hermes

# Or via .env file in the data volume
ov shell hermes -c "vi /opt/data/.env"

The data volume (/opt/data) persists: sessions, skills, memories, logs, config, and .env.

Cross-Container Service Discovery

Deploy alongside provider containers for full functionality:

# 1. Deploy selkies-desktop (provides BROWSER_CDP_URL)
ov config selkies-desktop
ov start selkies-desktop

# 2. Deploy jupyter (provides jupyter MCP server)
ov config jupyter --update-all
ov start jupyter

# 3. Deploy hermes (consumes both)
ov config hermes -e OLLAMA_API_KEY=... --update-all
ov start hermes

Hermes receives:

BROWSER_CDP_URL=http://ov-selkies-desktop:9222 — controls desktop Chrome
OV_MCP_SERVERS=[{"name":"jupyter","url":"http://ov-jupyter:8888/mcp"},{"name":"chrome-devtools","url":"http://ov-selkies-desktop:9224/mcp"}] — notebook manipulation + browser DevTools MCP

MCP Server Discovery

# Verify MCP connection
ov shell hermes -c "hermes mcp list"                    # Shows registered servers
ov shell hermes -c "hermes mcp test jupyter"      # Tests connection (expects 11 tools, post-2026-05-06 surface)

Key Layers

/ov-hermes:hermes-full-layer — Metalayer composition details
/ov-hermes:hermes — Core agent (env_accepts, browser dispatch, LLM config)
/ov-selkies:chrome — Provides BROWSER_CDP_URL (from selkies-desktop)
/ov-selkies:chrome-devtools-mcp — Chrome DevTools MCP server on port 9224 (from selkies-desktop)

Related Images

/ov-hermes:hermes-playwright — Hermes with local Playwright Chromium
/ov-selkies:selkies-desktop — Desktop with Chrome (cross-container browser provider)
/ov-jupyter:jupyter — JupyterLab with MCP (cross-container MCP provider)

Verification

ov status hermes
ov service status hermes                    # hermes: RUNNING
ov shell hermes -c "hermes --version"
ov shell hermes -c "claude --version"
ov shell hermes -c "codex --version"
ov shell hermes -c "gemini --version"
ov shell hermes -c "ov version"
ov shell hermes -c "echo BROWSER_CDP_URL=\$BROWSER_CDP_URL"
ov shell hermes -c "echo OV_MCP_SERVERS=\$OV_MCP_SERVERS"
ov shell hermes -c "hermes mcp list"              # Should show chrome-devtools, jupyter

Test Coverage

Latest ov eval live hermes run: 50 passed, 0 failed, 0 skipped. Covers all 4 AI CLIs at ${HOME}/.npm-global/bin/{claude,codex,gemini}

pixi's hermes at ${HOME}/.pixi/envs/default/bin/hermes, plus dev-tools (rg, bat, gh, fastfetch, nvim, htop) and devops-tools (aws, scw, kubectx, kubens, tofu, jq). Deploy-scope: pipewire + hermes services up, /opt/data volume mounted. Uses supervisorctl pid for liveness (hermes-whatsapp is autostart=false — see /ov-build:eval Gotcha #4).

Related Skills

/ov-hermes:hermes-full-layer, /ov-hermes:hermes, /ov-coder:claude-code, /ov-coder:codex, /ov-coder:gemini, /ov-coder:dev-tools, /ov-coder:devops-tools
/ov-build:eval — declarative testing framework + supervisord gotchas
/ov-core:config — OV_MCP_SERVERS auto-discovery + secret provisioning
/ov-build:mcp — verify each MCP server in OV_MCP_SERVERS is actually alive before debugging hermes tool-call failures; ov eval mcp list-tools <provider-image> shows exactly what hermes will see
/ov-selkies:selkies-desktop — companion for shared browser (CDP)
/ov-jupyter:jupyter — MCP notebook tools auto-discovered

When to Use This Skill

MUST be invoked before building, deploying, configuring, or troubleshooting the hermes image.

/ov-build:image — image family umbrella (image: entries in overthink.yml, build/validate/inspect/list)
/ov-build:build — build.yml vocabulary (distros, builders, init-systems)

Related Skills

overthinkos/agents

development

VerifiedTrustedCommunity

Claude Code multi-agent support in Overthink — sub-agents, dynamic workflows, and agent teams, and how each drives the existing `ov eval` disposable beds to test and verify. MUST be invoked before authoring or invoking an ov sub-agent / dynamic workflow / agent team, wiring agent-lifecycle hooks, or asking "which primitive should drive the R10 beds?".

SKILL.mdUpdated May 31, 2026

overthinkos/workspace-mount

tools

VerifiedTrustedCommunity

Mounts a virtiofs share tagged `workspace` at /workspace inside a VM guest via a systemd .mount unit. Use when a kind:vm entity shares a host directory into the guest and you need it auto-mounted (and re-mounted at every boot).

SKILL.mdUpdated May 30, 2026

overthinkos/workspace-mount

overthinkos/android

development

VerifiedTrustedCommunity

MUST be invoked before any work involving: the `kind: android` schema kind, a `target: android` deploy, the `apk:` layer package format (installing Android apps declaratively), AndroidDeployTarget, an in-pod emulator OR a remote/physical adb-endpoint device, or nested `pod → android` deployment. The first-class Android device + app surface that sits above `ov eval adb`/`appium`.

SKILL.mdUpdated May 26, 2026

overthinkos/git-workflow

tools

VerifiedTrustedCommunity

Use when committing, branching, pushing, merging, tagging, creating PRs, or approving/merging PRs with gh — the feat/-branch, R10-gated, never-force-push landing workflow across the main repo + the plugins submodule + image/<distro> submodules. Covers sync-to-upstream, branch/worktree pruning, the fork+PR path for contributors without write access, and cross-repo @github landing order.

SKILL.mdUpdated May 25, 2026

overthinkos/git-workflow

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/overthinkos/overthink-plugins.git

# Copy into Claude Code skills folder (global)
cp -r overthink-plugins/ov-hermes/skills/hermes ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

overthinkos/overthink-plugins

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT