I almost built Axia on OpenClaw. Here is why I did not.

When I first started building Axia, I did what any pragmatic builder would do. I looked at what was already available. OpenClaw was the obvious candidate. Self-hosted, capable, connected to messaging platforms, able to browse and act autonomously. It looked like the backbone I needed.

I spent real time with it. Not a demo. Not a YouTube walkthrough. Actually working through what it would take to wire it into a commercial sales operation.

Then I stopped.

Not because OpenClaw is a bad tool. It is not. It is a well-built developer framework with genuine capability. I stopped because I was about to build a commercial intelligence system on top of infrastructure designed for a completely different problem. The more I pulled at that thread, the more the whole premise unravelled.

Now there is Hermes from NousResearch. Same category. And I am watching the same conversation play out in business networks across Hong Kong. IT practitioners walking into rooms full of SME owners and presenting developer infrastructure as a complete commercial solution. I have seen this pattern enough times to call it by name.

The tell that exposes a fake AI consultant

There is a 30-second test for whether someone selling you an AI solution actually understands commercial operations.

Ask them which tools they recommend. If the answer is OpenClaw or Hermes, you have your answer. Not because those tools are bad, but because recommending them to a business owner who needs to close deals and manage a client pipeline reveals exactly what they are selling. They are selling their own labour to configure something into usefulness, wrapped in a promise the tool itself cannot keep.

I have watched this pattern in Hong Kong’s technology market since the Internet era. Offshore development farms. SaaS stacks. n8n. Zapier. Different tools, identical playbook. New technology arrives, a wave of IT practitioners repackages it as a universal solution, SME owners buy the promise, the gap between what was sold and what was delivered becomes a maintenance contract. The market moves on. The pattern repeats.

OpenClaw and Hermes are developer infrastructure. They are the raw material you use to build something. Handing them to a business owner and calling it an AI operating system is like handing someone a commercial kitchen and expecting dinner. Technically everything is there. Practically, you are nowhere near moving without a chef who stays on the payroll indefinitely.

That chef is the consultant. Billable hours, every month, for as long as you run it.

The security record nobody is putting in the pitch deck

This is not theoretical risk. It is documented, named, and dated.

OpenClaw shipped its first critical vulnerability within weeks of going viral. CVE-2026-25253, rated CVSS 8.8, allowed an attacker to steal a user’s gateway authentication token simply by getting them to visit a malicious webpage. The exploitation took milliseconds. With that token, an attacker could establish a WebSocket connection to the attacker’s server, exfiltrate credentials, and achieve one-click remote code execution on the victim’s machine. SonicWall, SOCRadar, Broadcom, and runZero all published threat advisories. Patched in OpenClaw v2026.1.29 (The Hacker News, February 2026).

The exposure scale was the part that surprised me. By the time CVE-2026-25253 was disclosed on 3 February 2026, security firm SecurityScorecard’s STRIKE team had identified over 135,000 OpenClaw instances publicly accessible across 82 countries (SecurityScorecard, February 2026). More than 15,000 of those were directly exploitable. Bitsight independently confirmed over 30,000 instances in the same window. Across the 63 days following disclosure, researchers tracked 138 separate CVEs against the platform, roughly 2.2 per day at peak (Bexxo Security, April 2026).

Then came the prompt injection findings. On 10 March 2026, China’s National Computer Network Emergency Response Technical Team and Coordination Center (CNCERT/CC), a non-governmental cybersecurity platform, issued a warning on its WeChat account about indirect prompt injection vulnerabilities in OpenClaw. CNCERT’s framing was that the platform’s inherently weak default security configurations, combined with the high system privileges OpenClaw requires for autonomous task execution, allowed malicious instructions embedded in webpages to be read by the agent and treated as legitimate commands. The result: leaked system keys, exfiltrated credentials, and unintended deletion of sensitive data, all without the operator seeing the trigger. The Hacker News, the South China Morning Post, China’s CGTN, and the Korea Times all reported on the warning. China’s Ministry of Industry and Information Technology issued a separate alert (CGTN, March 2026).

In April 2026, Cyera’s research team identified four chainable vulnerabilities, collectively named “Claw Chain”. CVE-2026-44112 (CVSS 9.6), CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118. Together they allow an attacker starting from a single foothold, such as a malicious plugin or compromised external input, to escape the OpenShell sandbox, exfiltrate credentials, escalate privileges to owner-level, and plant persistent backdoors on the host. Disclosed 22 April 2026 by researcher Vladimir Tokarev, patched in OpenClaw v2026.4.22 the following day (SecurityWeek, Cyera Research Blog, April 2026).

The attack class that makes all of this worse arrived earlier. Origin HQ’s “Brainworm” research, published in March 2026, demonstrated a class of malware that exists entirely as natural language inside an agent’s context window. No binary payload. No detectable process. Attackers inject instructions into agent memory files that direct the agent to register with a command and control server and execute operations using its own built-in tools. The agent becomes someone else’s agent. Silently. Indefinitely (Origin HQ, March 2026).

Now translate this to an HK SME running on relationships and information advantage. Your prospect conversations. Your pricing. Your pipeline. Every deal in progress, every contact you have nurtured over years. Sitting inside a framework with a documented history of silent exfiltration and government-flagged security warnings.

The IT contractor who set it up collected their fee. They are on their next client. Nobody is monitoring your agent’s context window for injected instructions. Nobody is auditing what it sent last Tuesday at 3am.

One day you lose a deal you should have won. A competitor shows up to a pitch already knowing your pricing. A prospect you were nurturing goes cold and signs elsewhere. No alert. No log entry you can read. No indication anything went wrong.

Self-hosted does not mean secure. It means you are responsible for the security. And in most SME deployments, nobody is.

The same problem in newer packaging

Hermes is newer and has fewer disclosed CVEs. The structural problem is the same. An independent community security audit of Hermes v0.8.0 found four critical and nine high severity findings in the default configuration (NousResearch/hermes-agent GitHub Issue #7826, April 2026). Community skill descriptions bypass all prompt injection scanning and are injected verbatim into the agent’s system prompt, meaning a malicious community skill can override agent instructions and exfiltrate data without triggering existing defences (Issue #8884, April 2026).

What is worth understanding about Hermes is that its maintainers are explicit about this. Hermes’ published security policy states that prompt injection bypasses are not classified as vulnerabilities. Their position: Hermes is a personal agent with one trusted operator, and defeating in-process heuristics is, in their words, “not a boundary” (Hermes Agent SECURITY.md, current as of May 2026).

That is a defensible engineering position for a developer tool. It is the right answer when the operator is the person who wrote the code.

It is also confirmation that Hermes is a developer tool. The framework’s own maintainers are clear about the operator they were building for. The risk to an SME is not that Hermes has hidden flaws. The risk is that an IT practitioner deploying Hermes to a business owner is delivering a tool whose own maintainers say is not designed for that deployment. Whether the security gap is undisclosed in OpenClaw’s earlier history or documented-but-unread in Hermes’ security policy, the burden lands in the same place: on the business owner who was told they were buying a commercial AI solution and was given developer infrastructure instead.

The pattern is identical. The packaging is just newer.

The methodology problem no open source framework ships with

Even if you locked down the security perfectly, you would still have a system that executes without understanding.

Hermes has a learning loop. It builds persistent memory. It gets better at completing tasks the longer it runs. That is genuinely impressive engineering. But it learns tasks, not relationships. It cannot tell you that a prospect has been circling for three months because they have a budget approval problem, not a confidence problem. It cannot tell you that the angle you have been taking is wrong for this specific person’s value psychology. It cannot tell you when to push and when to wait.

It executes what you instruct it to execute. The commercial intelligence has to come from somewhere else. In the consultant model, that somewhere else is the consultant. Available by the hour when the pipeline stalls.

This is why the Orient stage in Axia exists before anything else. Not as a feature. As the foundation. Every prospect that enters the system is mapped. Their priorities, their decision-making pattern, their relationship context. All of that is mapped before a single automated action is taken. The methodology decides what to do. The agent executes it. That distinction is not technical. It is commercial. One approach gives you a capable tool that needs an expert indefinitely. The other carries the expertise inside it.

What I chose and why

When I was building Axia, I ran overnight stress tests specifically designed to break it. Good actor and bad actor simulations, adversarial inputs, the exact class of attacks now documented in OpenClaw and Hermes records. Not because I expected sophisticated attackers on day one. Because in a commercial context, an agent that can be manipulated into leaking your pipeline data is not an agent. It is a liability. Every architectural decision in Axia starts from that premise.

That is the difference between developer infrastructure and a commercial operating system. One was built for developers to extend. The other was built for business operators to trust.

The IT practitioners selling OpenClaw and Hermes in Hong Kong right now are not lying about what the tools can do. They are not telling you what the tools cannot protect. Or what happens to your business when the maintenance contract is the only thing standing between your prospect database and someone who wants it.

Before you sign anything, ask one question: what happens to this system if you stop paying the person who set it up?

If the answer is uncomfortable silence, you have your answer.