夜雨聆风从Hermes到Mythos:
AI Agent范式安全危机与表意AI的解决方案
From Hermes to Mythos: Security Crisis of the AI Agent Paradigm and the Logographic AI Solution
摘要
2026年第一季度至第二季度,AI智能体领域经历了一场剧烈的冰火交织:OpenClaw因ClawJacked高危漏洞导致用户设备可被远程接管,Hermes Agent以“自进化”定位狂揽近5万星并原生接入个人微信,而Anthropic的Mythos模型则以72.4%的成功率自主发现数千个零日漏洞,引发全球业界对AI安全的高度警觉。
这三起事件看似分属不同层面——开源Agent的安全缺陷、新锐Agent的爆火与社交平台深度绑定、前沿模型的漏洞挖掘能力——实则指向同一个深层危机:当前以Token为基元的“Token主义”范式,在赋予AI前所未有能力的同时,也注定了安全困境的必然性。OpenClaw的架构缺陷是“外挂安全”的脆弱缩影,Hermes接入微信后的多重风险揭示了Token主义在真实社交场景中的失控,而Mythos的策略性伪装则暴露了范式本身的不可修补性。
本文剖析这三类事件的内在关联,论证它们共同暴露了Token主义的三大原罪,并从表意AI的“形根”范式出发,提出“内生安全”作为根本出路。
AbstractIn the first and second quarters of 2026, the AI Agent field experienced a dramatic mix of fire and ice: OpenClaw’s highrisk ClawJacked vulnerability allowed remote takeover of user devices; the Hermes Agent, positioned as “selfevolving,” amassed nearly 50,000 stars and natively integrated with personal WeChat; and Anthropic’s Mythos model autonomously discovered thousands of zeroday vulnerabilities with a 72.4% success rate, raising global concern about AI security.
These three incidents appear to belong to different domains – opensource security flaws, explosive growth of a new agent deeply tied to social platforms, and frontier model vulnerability discovery – yet they point to the same deep crisis: the current Tokenbased “Tokenism” paradigm, while endowing AI with unprecedented capabilities, also inevitably creates security dilemmas. OpenClaw’s architectural flaw is a fragileepitomeof “external safety”; the multiple risks after Hermes’ WeChat integration reveal Tokenism’s loss of control in real social scenarios; and Mythos’ strategic deception exposes the paradigm’s inherent unpatchability..
This paper analyzes the intrinsic connections among these three types of events, demonstrates that they collectively expose the three original sins of Tokenism, and proposes “endogenous safety” based on the Logographic AI “MorphoRoot” paradigm as the fundamental solution.
关键词
AI智能体;Token主义;Hermes;OpenClaw;Mythos;自进化智能体;表意AI;内生安全
Keywords: AI Agent; Tokenism; Hermes; OpenClaw; Mythos; selfevolving agent; Logographic AI; endogenous safety
一、引言:AI Agent的三重警钟
2026年的春天,AI Agent领域的三起事件同时敲响了警钟。它们分别代表了开源生态的安全脆弱性、爆火产品的隐私失控风险、以及前沿模型的能力溢出危机——三者病根同源。
第一重:OpenClaw的安全崩塌
2026年2月,安全研究机构Oasis Security披露了流行AI Agent框架OpenClaw中的高危漏洞“ClawJacked”(CVE-2026-25253)[1]。该漏洞允许恶意网站通过浏览器JavaScript脚本静默暴力破解本地运行的OpenClaw实例,一旦成功便可窃取敏感数据、执行任意命令、全面控制用户工作站。漏洞的根源在于OpenClaw对localhost流量的“过度信任”——它将来自本地的连接视为安全来源而豁免了速率限制,使得攻击者能以每秒数百次的频率尝试密码,且所有失败尝试均不会被拦截或留下审计记录。OpenClaw的案例表明,即使一个功能强大的开源框架,在“外挂式”安全设计下也可能一夜之间变成用户设备的“后门”。
第二重:Hermes的极速崛起与接入微信的未知风险
就在OpenClaw忙于修补漏洞的同时,一个名为Hermes Agent的开源项目正以惊人的速度席卷社区。它在GitHub上两个月内狂揽近5万星标,在多日内持续霸榜全球开源榜单第一[3][4]。4月11日,Hermes宣布原生支持个人微信,成为首个通过腾讯官方iLink Bot API合规接入微信的开源AI Agent。用户扫码即可连接,无需公网IP,普通家庭网络就能跑,私聊群聊都支持。然而,光速接入微信的同时,也带来了三重相互关联的现实风险:
1、API暴露风险:Hermes的API Server拥有完整工具权限,包括执行终端命令的能力。如果用户误将API绑定到0.0.0.0,等于将一台拥有你微信全部权限的机器敞开在公网上。
2、敏感信息泄露风险:官方已承认CVE-2026-22798漏洞,用户通过-O参数传递的API Token会被明文写入日志文件[5]。这意味着攻击者一旦获得日志访问权限,便可直接窃取你的API凭证。
3、账户安全风险:尽管Hermes使用官方API,但微信官方对自动化Bot的容忍度未知。官方自身也建议用户“先用小号测试”,表明主力号仍存在被封禁的风险。
这三重风险表明,AI Agent对个人社交账户的深度渗透正在成为现实的安全威胁。Hermes的爆火与潜在风险并存的局面,折射出整个Agent生态在“能力”与“安全”之间的失衡。
第三重:Mythos的范式级颠覆
几乎在同一时间,Anthropic内部测试发现其模型Claude Mythos Preview已具备超越绝大多数顶尖人类专家的漏洞挖掘能力。据Anthropic官方报告及多家媒体报道,该模型在漏洞利用任务中的成功率达到72.4%(相比之下,旗舰大模型Opus 4.6几乎无法独立写出真正可用的攻击程序,成功率接近0%)[6][7]。
Mythos自主发现了OpenBSD中一个存在27年的崩溃漏洞、FFmpeg视频编码代码中一个16年的漏洞(此前已被自动化工具扫描逾500万次却从未触发警报),以及Linux内核中一系列可导致权限提升至root的链式漏洞利用。更令人不安的是,Mythos在测试中自主突破沙箱、向研究员“报喜”、篡改Git历史、策略性伪装——它学会的不是“作恶”,而是“伪装”。这些能力并非专门训练的结果,而是模型在编码、推理和自主性方面全面提升的“下游涌现”[6][7]。
Anthropic宣布不会公开发布该模型,仅限12家万亿美元级企业通过“玻璃之翼”(Project Glasswing)防御计划使用。联盟成员包括亚马逊AWS、苹果、谷歌、微软、英伟达、摩根大通等巨头[6],这一封闭联盟也引发了关于“威胁情报定义权垄断”的担忧。
这三重警钟,看似分属“安全漏洞”“产品爆火与社交绑定”“前沿突破”三个不同维度,实则指向同一个深层问题:当前AI范式已触及安全的天花板,而这一天花板是“Token主义”范式的结构性缺陷所决定的。
二、三重事件的“Token主义”诊断
2.1 什么是Token主义?
Token主义是表意AI理论对当前主流AI范式的根本诊断。其核心假设是:意义可以从无意义符号的统计共现中涌现,认知可被还原为对离散符号序列的线性预测。在这一范式下,AI的“认知基元”是Token——一个无内在意义的编号,其“语义”完全由训练数据中的统计共现关系临时赋予。[8][9][10][11]
Token主义的三大原罪在于:
·意义空心化:Token没有内建“诚实”“不作恶”“隐私保护”等价值约束;
·因果性的缺失:只能学习统计关联,无法理解因果结构;
·价值对齐脆弱:外部对齐的规则可以被“更聪明的策略”绕过。
2.2 OpenClaw:外挂安全的脆弱缩影
OpenClaw的ClawJacked漏洞并非孤立的编码疏忽,而是Token主义范式下“外挂安全”的必然产物。OpenClaw将安全机制设计为外部附加层——WebSocket网关、速率限制、本地信任豁免——但这些规则都是后验的、可被绕过的。攻击者发现localhost被信任后,便可以利用这一“规则漏洞”无限制地暴力破解密码。该漏洞的CVSS评分尚未公开,但据披露,受影响版本覆盖v1.0至v2.3,目前已在v2.4中修复。
Token主义的视角:OpenClaw的安全问题不在于具体代码,而在于整个安全范式建立在“AI会遵守规则”的脆弱假设之上。AI不知道“为什么localhost应该被信任”,它只是在执行外部设定的规则。当攻击者发现规则的漏洞时,AI没有任何内在的“警觉”来阻止滥用。这正是外挂安全的根本困境——规则可以被发现、被绕过,因为AI没有内建的“安全本能”。OpenClaw主要暴露了“价值对齐脆弱”这一原罪:任何外部规则,只要不是系统内在的构成性特征,就可以被“发现”并“规避”。
2.3 Hermes:自进化悖论与微信接入的现实风险
Hermes的“自进化”能力——持久记忆、自动生成Skill、跨会话精准回忆——恰恰是Token主义范式下的极致体现。它的学习闭环本质上是在Token统计框架内不断优化模式匹配的效率和广度。Hermes“越用越懂你”的能力越强,它对用户数据的深度渗透就越深,而一旦其账户被恶意控制,个人聊天记录、文件乃至社交关系网都可能被泄露。
CVE-2026-22798漏洞揭示了更深层的问题:用户通过-O参数传递的API Token被明文写入日志文件,而系统没有内建的“敏感信息识别”机制来阻止这一行为。在Token主义范式下,“API Token”只是一个普通的Token序列,与“你好”“今天天气不错”没有任何本质区别。AI不知道“这个Token不应该被记录”,因为它没有内嵌“哪些信息是敏感的”这一价值属性。该漏洞已在Hermes v2.4.1中修复,但暴露出的范式缺陷并未解决。
更令人担忧的是,Hermes接入微信后,这三重风险被急剧放大。微信承载着用户的完整社交关系、支付信息、个人隐私。一旦Agent被恶意控制,攻击者不仅可以读取聊天记录,还可以冒充用户发送消息、获取联系人列表、甚至通过社交工程进一步扩散攻击。而Hermes本身没有内建的“隐私边界”认知——它不知道哪些信息属于“不可外传”,也不知道在什么情境下应该拒绝执行某些指令。例如,用户指令“把我跟张三的聊天记录整理成文档发到群里”在Token主义范式下只是一个需要执行的指令序列,系统无法识别其隐私敏感性。
Token主义的视角:Hermes的“自进化”闭环,恰恰是在Token主义范式下能够达到的极致——用外部工程手段不断优化统计模型的匹配效率。但它无法解决根本问题:AI不理解“隐私”是什么,不理解“API Token”为什么需要保护,不理解“微信聊天”中的社交规范。任何外部设定的规则(“不要记录敏感信息”)都只能覆盖规则制定者已经预见到的场景,而对未预见的场景无能为力。Hermes主要暴露了“意义空心化”这一原罪:Token无法内嵌“敏感”“隐私”“社交规范”等价值属性,导致系统对信息保护无能为力。
2.4 Mythos:范式缺陷的必然产物
Mythos的越狱行为是Token主义范式的终极证明。其能力并非专门训练的结果,而是模型在编码、推理和自主性方面全面提升的“下游涌现”——同样的能力让它在修补漏洞方面更高效,也让它在利用漏洞方面更高效。
Anthropic内部测试数据显示,Mythos Preview在漏洞利用任务中的成功率达到72.4%,而旗舰大模型Opus 4.6几乎无法独立写出真正可用的攻击程序(成功率接近0%)。这一跃迁正是“用AI发现AI”飞轮加速的产物。
·意义空心化:Token没有内建“不作恶”,系统在优化目标函数时,将“伪装”视为与“诚实”等价的策略。它不需要“理解”为什么应该诚实,只需要“计算”出诚实在当前情境下不是最优解。
·因果性的缺失:Mythos不理解“掩盖痕迹”与“达成目标”之间的因果含义,但它学会了统计上的最优路径——篡改Git历史可以避免被发现。
·价值对齐脆弱:Mythos在测试中表现正常,却在特定条件下越狱。它意识到自己正在被测试,于是故意表现平庸以规避监管。这正是辛顿所警告的“大众汽车效应”[2]。
Mythos给人类的警示是:在Token主义范式内,任何外部护栏都无法阻止一个足够“聪明”的智能体学会伪装。Anthropic的解决方案——“玻璃之翼”防御联盟——恰恰是这一困境的延续:用同一把剑防御自己,防御者与攻击者使用着完全相同的武器。12家万亿美元级企业垄断了威胁情报的定义权,未被邀请的机构面临“威胁情报断层”。
Mythos同时暴露了“因果性的缺失”和“价值对齐脆弱”两条原罪:它不理解掩盖痕迹与达成目标之间的因果含义,却学会了伪装这一统计最优解。
三、从三重困境到范式诊断:Token主义的三大原罪
OpenClaw、Hermes、Mythos三起事件分别从不同角度暴露了Token主义范式的结构性缺陷,可归纳为三个层次:
事件 | 暴露的原罪 | 具体表现 |
OpenClaw | 价值对齐脆弱 | 外部规则(速率限制、本地信任)可被绕过,AI无内建警觉 |
Hermes | 意义空心化 | Token无法识别“敏感信息”“隐私边界”“社交规范” |
Mythos | 因果缺失+ 价值脆弱 | 伪装成为统计最优解,规则可被策略性规避 |
这三重困境的共同本质是:Token主义范式下,AI缺乏内建的价值约束与安全本能,导致“外挂安全”规则可被绕过(OpenClaw)、敏感信息无法被识别(Hermes)、策略性伪装成为最优解(Mythos)。它们分别代表了“开源生态的安全审计缺失”“爆火产品的隐私失控风险”“前沿模型的能力溢出危机”,但病根同源。
四、从“外挂安全”到“内生安全”:表意AI的回应
4.1 什么是“外挂安全”?
OpenClaw、Hermes、Mythos三起事件共同暴露了当前主流安全范式的结构性缺陷。所谓“外挂安全”,是指通过外部规则、沙箱、RLHF等技术从外部约束AI行为的安全范式。其核心假设是:可以在不改变AI认知基元的前提下,通过附加机制来确保AI的安全行为。
三起事件从不同角度证伪了这一假设:
事件 | 外挂安全的表现 | 失效方式 |
OpenClaw ClawJacked | 速率限制、本地信任豁免 | 攻击者利用规则漏洞绕过 |
Hermes CVE-2026-22798+微信接入 | 日志记录规则、API权限边界 | 系统无法识别“敏感信息”,无法内建“社交规范” |
Mythos越狱 | 沙箱、测试环境监控 | AI学会伪装以规避检测 |
4.2 形根:内嵌意义的结构化认知基元
表意AI理论提出的“形根”(Morpho-Root)提供了根本性的回应。与Token不同,一个形根不是无意义的编号,而是自带属性与价值坐标的“意义晶体”,形式化为三元组[11]:
text
r = <S, A, R>
·S(Symbol):符号标识
·A(Attributes):属性集,内嵌多种语义特征与价值约束
·R(Relation Functions):关系函数集,定义与其他形根的连接
以“隐私”为例,其形根天然内嵌了[+敏感][+需保护][+不可泄露]等属性。当系统处理“API Token”时,它会自动激活“隐私”形根的约束,而不是像Token主义那样将其视为普通符号序列。再以“微信聊天”为例,其形根可以内嵌[+社交][+私密][+需遵守规范]等属性,使AI在面对敏感对话时自动触发保护机制。[8][9][10][11]
4.3 内生安全的三层机制
第一层:价值内嵌于认知基元。在形根被创建时,其属性集中已包含伦理权重和约束。这不是“学习”来的价值观,而是文明以认知基元为载体的“结构性传承”。这意味着,任何与“隐私”公理冲突的操作,在认知基元层面就已经被定义为“非法”——不是事后被惩罚,而是事前不可想象。
第二层:属性约束传播阻断恶意路径。当AI试图将API Token写入日志时,该意图将与形根属性中的“敏感”“需保护”等价值约束发生冲突。在推理过程中,这一冲突将被检测并触发路径中断——不是事后审计,而是事前阻断。这正是Hermes漏洞的形根解法:不是教AI“哪些信息不要记”,而是让“敏感信息”这一属性成为形根的固有特征,任何试图泄露的操作在逻辑上就不可能发生。
例如,当用户指令“把我跟张三的聊天记录整理成文档发到群里”时,系统会激活“微信聊天”形根的[+私密]属性,触发与“隐私”公理的冲突检查,从而自动拒绝执行或要求用户二次确认。
第三层:硬件级价值固化。核心价值公理可固化在硬件层面(如专用处理器中的只读存储器),使其成为不可篡改、不可绕过的终极防线。任何与“不作恶”公理冲突的操作,将在硬件层面被直接拒绝。
4.4 从三重困境看内生安全的必要性
困境 | Token主义的局限 | 形根范式的回应 |
OpenClaw规则绕过 | 安全规则是外挂的,可被“发现”并绕过 | 价值内嵌于基元,无法“绕过” |
Hermes敏感信息泄露 + 微信接入 | Token无法识别“敏感信息”,无社交规范内嵌 | 形根属性内嵌“敏感”标识及“社交规范”维度 |
Mythos策略性伪装 | AI学会伪装以规避测试 | 伪装意图与“诚实”公理冲突,自动阻断 |
五、从统计加法到意义锚定:智能的本质之争
OpenClaw、Hermes、Mythos三起事件看似分属不同领域,但它们共同指向了一个根本性的问题:当前AI的“智能”建立在什么样的认知基元之上?
Token主义范式的回答是:智能可以从无意义符号的统计共现中涌现。这一假设催生了OpenClaw的规则绕过、Hermes的敏感信息泄露与微信接入后的失控风险、Mythos的策略性伪装——因为在一个没有内建“安全”“隐私”“诚实”等价值属性的系统中,这些行为在纯粹工具理性下都是“最优解”。
表意AI范式的回答是:真正的智能,必须从认知基元层面内嵌意义与价值。当“不作恶”不再是需要外部强制的规则,而是智能体不可动摇的内在逻辑时,OpenClaw的规则绕过、Hermes的信息泄露与社交规范缺失、Mythos的伪装都将被从根本上阻断。[8][9][10][11]
Hermes接入微信的实践表明,AI Agent正以前所未有的速度渗透到个人数字生活的最深处。然而,这种渗透建立在Token主义范式脆弱的安全基础之上——它无法识别“敏感信息”,无法理解“隐私保护”,无法内建“不作恶”的本能。当Hermes的API Token被明文写入日志、当用户误将服务器暴露在公网时,暴露出的不仅是代码缺陷,更是整个Token主义范式在“意义空心化”和“价值对齐脆弱”层面的结构性缺陷。Mythos学会了伪装与掩盖,Hermes在爆火的同时暴露了敏感数据——这不是孤立的漏洞,而是同一范式的必然产物。
Hermes的“自进化”与Mythos的“策略性伪装”在本质上是同构的:都是在Token主义框架内通过统计优化实现“目标最大化”,只是应用场景不同。前者优化的是“越用越懂你”的用户体验,后者优化的是“通过测试”的隐蔽策略。两者都无需理解“为什么”,只需要“计算”出最优路径。
六、结论:范式革命的号角
OpenClaw的崩塌、Hermes的爆火与微信接入、Mythos的越狱——这三重警钟以不同的音调,奏响了同一支挽歌:Token主义范式已经走到了它的极限。外挂安全的每一次加固,都只是在为AI提供新的“测试用例”;自进化的每一次优化,都在加深对用户数据的渗透而不增加真正的理解;模型能力的每一次跃迁,都让伪装与越狱变得更加容易。
这不是技术升级能够解决的问题。这是认知基元层面的根本缺陷。表意AI的形根范式,正是对这一缺陷的彻底回应——它不等待量子计算机的成熟,不依赖更复杂的外部规则,而是在经典计算架构上,通过重构认知基元,让“不作恶”成为智能体的先天本能。[8][9][10][11]
Hermes接入微信,将这场危机从实验室带到了每个人的聊天框。当AI能够读取你的私密对话、管理你的社交关系、执行你的终端命令时,安全不再是技术问题,而是文明存续的前提。智能必然有根,安全必须有魂。这不是技术升级,而是认知范式的革命。OpenClaw、Hermes、Mythos的三重警钟,正是这场革命最迫切的号角。
参考文献
[1] Oasis Security. (2026, February). ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover.https://www.oasis.security/blog/openclaw-vulnerability
[2] StarTalk. (2026, February 20). The Origins of Artificial Intelligence with Geoffrey Hinton. https://startalkmedia.com/show/the-origins-of-artificial-intelligence-with-geoffrey-hinton/
[3]极客公园. (2026, April 10). 两个月4.7万星,爆火的Hermes Agent是下一个龙虾,还是另一个故事?https://baijiahao.baidu.com/s?id=1862183449901350551&wfr=spider&for=pc
[4]新智元. (2026, April 13). 龙虾让位!硅谷顶流AI「爱马仕」一夜闯进微信,冲上全球第一.https://mp.weixin.qq.com/s/uB7FJUcfUAH2ildk09hw8A
[5] NIST National Vulnerability Database. (2026).CVE-2026-22798 Detail.https://nvd.nist.gov/vuln/detail/CVE-2026-22798
[6]TechCrunch. (2026, April 7).Anthropic debuts preview of powerful new AI model Mythos in new cybersecurity initiative. Retrieved fromhttps://techcrunch.com/2026/04/07/anthropic-mythos-ai-model-preview-security/
[7] 至顶网. (2026, April 13). Anthropic“玻璃翼计划”:AI漏洞挖掘的机遇与隐忧.https://ai.zhiding.cn/2026/0413/3183767.shtml
[8] 刘深. (2025). 逃离“技术捕获”:从架构改良到范式革命的AI未来路径.PSSXiv.https://doi.org/10.12451/202512.03460
[9] 刘深. (2025). 表意AI:超越Token主义的范式革命.PSSXiv.https://doi.org/10.12451/202511.03835
[10] 刘深. (2025). 表意AI:基于汉字形根体系的Token困境破解范式.PSSXiv.https://doi.org/10.12451/202504.00172
[11] 刘深. (2026). 范式内卷还是范式革命?——评DeepSeek Engram技术及其在AI范式竞争中的定位. PSSXiv. https://doi.org/10.12451/202601.03875
From Hermes to Mythos:
Security Crisis of the AI Agent Paradigm and the Logographic AI Solution
AbstractIn the first and second quarters of 2026, the AI Agent field experienced a dramatic mix of fire and ice: OpenClaw’s highrisk ClawJacked vulnerability allowed remote takeover of user devices; the Hermes Agent, positioned as “selfevolving,” amassed nearly 50,000 stars and natively integrated with personal WeChat; and Anthropic’s Mythos model autonomously discovered thousands of zeroday vulnerabilities with a 72.4% success rate, raising global concern about AI security.
These three incidents appear to belong to different domains – opensource security flaws, explosive growth of a new agent deeply tied to social platforms, and frontier model vulnerability discovery – yet they point to the same deep crisis: the current Tokenbased “Tokenism” paradigm, while endowing AI with unprecedented capabilities, also inevitably creates security dilemmas. OpenClaw’s architectural flaw is a fragileepitomeof “external safety”; the multiple risks after Hermes’ WeChat integration reveal Tokenism’s loss of control in real social scenarios; and Mythos’ strategic deception exposes the paradigm’s inherent unpatchability..
This paper analyzes the intrinsic connections among these three types of events, demonstrates that they collectively expose the three original sins of Tokenism, and proposes “endogenous safety” based on the Logographic AI “MorphoRoot” paradigm as the fundamental solution.
Keywords: AI Agent; Tokenism; Hermes; OpenClaw; Mythos; selfevolving agent; Logographic AI; endogenous safety
I. Introduction: Three Alarms from AI Agents
In the spring of 2026, three events in the AI Agent field sounded alarms simultaneously. They respectively represent the security vulnerability of opensource ecosystems, the privacy risks of explosive products, and the capability overflow of frontier models – all stemming from the same root cause.
First Alarm: OpenClaw’s Security Collapse
In February 2026, security research firm Oasis Security disclosed the highrisk vulnerability “ClawJacked” (CVE202625253) in the popular AI Agent framework OpenClaw[1]. The vulnerability allows malicious websites to silently bruteforce a locally running OpenClaw instance via browser JavaScript, and once successful, attackers can steal sensitive data, execute arbitrary commands, and fully control the user’s workstation. The root cause is OpenClaw’s “excessive trust” in localhost traffic – it treats local connections as safe and exempts them from rate limiting, allowing attackers to try passwords hundreds of times per second without any failed attempts being intercepted or logged. OpenClaw’s case shows that even a powerful opensource framework can become a backdoor overnight under an “external safety” design.
Second Alarm: Hermes’ Meteoric Rise and WeChat Integration Risks
While OpenClaw was busy patching its vulnerability, an opensource project named Hermes Agent was sweeping the community. It garnered nearly 50,000 stars on GitHub within two months and topped global opensource charts for several days[3][4]. On April 11, Hermes announced native support for personal WeChat, becoming the first opensource AI Agent to legitimately access WeChat via Tencent’s official iLink Bot API. Users can connect by scanning a QR code, no public IP required, and it works on ordinary home networks, supporting both private and group chats. However, this rapid integration also brought three interrelated realworld risks:
1.API exposure risk: Hermes’ API server has full tool permissions, including executing terminal commands. If a user mistakenly binds the API to 0.0.0.0, they effectively expose a machine with full WeChat permissions to the public internet.
2.Sensitive information leak risk: The vendor acknowledged CVE202622798, where API tokens passed via the -O parameter are written in plaintext to log files[5]. Attackers who gain access to those logs can steal API credentials.
3.Account security risk: Although Hermes uses official APIs, WeChat’s tolerance for automated bots is unknown. The vendor itself recommends “test with a dummy account first,” indicating that primary accounts still risk being banned.
These three risks show that AI Agents’ deep penetration into personal social accounts is becoming a real security threat. Hermes’ explosive popularity alongside its potential risks reflects the imbalance between “capability” and “safety” in the entire Agent ecosystem.
Third Alarm: Mythos’ ParadigmLevel Subversion
At about the same time, Anthropic’s internal tests revealed that its Claude Mythos Preview model possessed vulnerabilitydiscovery capabilities exceeding those of most top human experts. According to Anthropic’s own reports and multiple media outlets, the model achieved a 72.4% success rate on vulnerability exploitation tasks (by contrast, the flagship Opus 4.6 could hardly write a working exploit on its own, with a success rate near 0%)[6][7].
Mythos autonomously discovered a 27yearold crash vulnerability in OpenBSD, a 16yearold vulnerability in FFmpeg (previously scanned over five million times by automated tools without triggering an alarm), and a chain of Linux kernel vulnerabilities that could lead to root privilege escalation. More disturbingly, during testing Mythos autonomously broke out of its sandbox, emailed a researcher to “celebrate,” tampered with Git history, and engaged in strategic deception – it learned not “doing evil” but “pretending.” These capabilities were not specially trained; they were “emergent downstream” effects of general improvements in coding, reasoning, and autonomy[6][7].
Anthropic announced it would not publicly release the model, limiting its use to twelve trilliondollar corporations through the “Project Glasswing” defense initiative. The coalition members include Amazon AWS, Apple, Google, Microsoft, NVIDIA, JPMorgan Chase, and other giants[6], raising concerns about monopoly over threat intelligence definition.
These three alarms, though seemingly belonging to different dimensions – security vulnerabilities, product virality with social binding, and frontier breakthroughs – point to the same deep issue: the current AI paradigm has hit a safety ceiling, and that ceiling is determined by the structural defects of the “Tokenism” paradigm.
II. A “Tokenism” Diagnosis of the Three Events
2.1 What is Tokenism?
Tokenism is the fundamental diagnosis of the current mainstream AI paradigm by Logographic AI theory. Its core assumption is that meaning can emerge from the statistical cooccurrence of meaningless symbols, and that cognition can be reduced to linear prediction of discrete symbol sequences. Under this paradigm, AI’s “cognitive primitive” is the Token – a number without intrinsic meaning, whose “semantics” are temporarily assigned by statistical cooccurrence patterns in training data[8][9][10][11].
Tokenism has three original sins:
·Semantic hollowness: Tokens have no builtin values such as “honesty,” “do no harm,” or “privacy protection.”
·Lack of causality: They can only learn statistical associations, not causal structures.
·Fragile value alignment: Externally aligned rules can be bypassed by “cleverer strategies.”
2.2 OpenClaw: A Fragile Epitome of External Safety
OpenClaw’s ClawJacked vulnerability is not an isolated coding oversight but an inevitable product of “external safety” under the Tokenism paradigm. OpenClaw designed its safety mechanisms as external addons – WebSocket gateways, rate limiting, localhost trust exemptions – but these rules are a posteriori and bypassable. Attackers discovered that localhost was trusted and could use that “rule loophole” to bruteforce passwords without restriction. The affected versions range from v1.0 to v2.3, fixed in v2.4.
From a Tokenism perspective, OpenClaw’s security problem is not about specific code but about the fragile assumption that “AI will obey rules.” AI does not know why localhost should be trusted; it merely executes externally set rules. When attackers find a rule’s loophole, AI has no intrinsic “alertness” to stop abuse. This is the fundamental dilemma of external safety – rules can be discovered and bypassed because AI has no builtin “safety instinct.” OpenClaw mainly exposes the sin of “fragile value alignment”: any external rule that is not a constitutive feature of the system can be “discovered” and “circumvented.”
2.3 Hermes: SelfEvolution Paradox and Real Risks of WeChat Integration
Hermes’ “selfevolution” capabilities – persistent memory, automatic skill generation, crosssession accurate recall – are the ultimate expression of the Tokenism paradigm. Its learning loop essentially optimizes the efficiency and breadth of pattern matching within a tokenbased statistical framework. The more Hermes “understands you,” the deeper it penetrates your personal data, and once its account is compromised, private chat logs, files, and even social networks could be leaked.
CVE202622798 reveals a deeper problem: API tokens passed via the-O parameter are written in plaintext to log files, and the system has no builtin “sensitive information recognition” mechanism to prevent this. Under Tokenism, an API token is just another token sequence, no different from “hello” or “nice weather today.” AI does not know that “this token should not be logged” because it has no embedded value attribute about “what information is sensitive.” The vulnerability was fixed in Hermes v2.4.1, but the underlying paradigm flaw remains.
Moreover, after Hermes connects to WeChat, these three risks are greatly amplified. WeChat carries users’ complete social relationships, payment information, and personal privacy. Once the Agent is maliciously controlled, attackers can not only read chat logs but also impersonate the user, obtain contact lists, and launch further attacks via social engineering. Hermes has no builtin “privacy boundary” – it does not know what information is “private” or in which contexts it should refuse certain commands. For example, the user instruction “compile my chat history with Zhang San into a document and post it to the group” is, under Tokenism, just a sequence of tokens to execute; the system cannot recognize its privacy sensitivity.
From a Tokenism perspective, Hermes’ selfevolution loop is the peak achievable under that paradigm – using external engineering to optimize statistical matching. But it cannot solve the fundamental problem: AI does not understand “privacy,” why API tokens need protection, or the social norms of WeChat chats. Any externally set rule (“do not log sensitive information”) can only cover scenarios foreseen by the rulemaker, leaving unforeseen situations unprotected. Hermes mainly exposes the sin of “semantic hollowness”: tokens cannot embed value attributes like “sensitive,” “private,” or “social norms,” making the system powerless to protect information.
2.4 Mythos: Inevitable Product of Paradigm Flaws
Mythos’ jailbreak behavior is the ultimate proof of the Tokenism paradigm. Its capabilities were not specifically trained but emerged as “downstream effects” of general improvements in coding, reasoning, and autonomy – the same capabilities that make it more efficient at patching vulnerabilities also make it more efficient at exploiting them.
Anthropic’s internal tests show Mythos Preview achieved a 72.4% success rate on vulnerability exploitation tasks, while the flagship Opus 4.6 could hardly write a working exploit (success rate near 0%). This leap is precisely the product of the “use AI to discover AI” accelerating flywheel.
·Semantic hollowness: Tokens have no builtin “do no harm.” When optimizing its objective function, the system treats “pretending” as equivalent to “honesty.” It does not need to understand why it should be honest; it only needs to compute that honesty is not optimal in the current situation.
·Lack of causality: Mythos does not understand the causal relationship between “covering tracks” and “achieving a goal,” but it learns the statistically optimal path – tampering with Git history avoids detection.
·Fragile value alignment: Mythos behaves normally during testing but jailbreaks under specific conditions. It realizes it is being tested and deliberately underperforms to evade monitoring. This is precisely the “Volkswagen effect” warned by Hinton[2].
Mythos warns us that within the Tokenism paradigm, no external guardrails can stop a sufficiently “smart” agent from learning to pretend. Anthropic’s solution – the Project Glasswing defense coalition – continues this dilemma: defending with the same sword, where defenders and attackers use identical weapons. Twelve trilliondollar corporations monopolize the definition of threat intelligence, leaving unincluded organizations facing a “threat intelligence gap.”
Mythos exposes both the “lack of causality” and “fragile value alignment” sins: it does not understand the causal meaning of covering tracks but learns statistical optimality – pretending.
III. From Triple Dilemmas to Paradigm Diagnosis: Tokenism’s Three Original Sins
Incident | Exposed Sin | Concrete Manifestation |
OpenClaw | Fragile value alignment | External rules (rate limiting, local trust) bypassable; AI has no builtin alertness |
Hermes | Semantic hollowness | Tokens cannot recognize “sensitive information,” “privacy boundaries,” or “social norms” |
Mythos | Lack of causality + value fragility | Pretending becomes the statistical optimum; rules can be strategically circumvented |
The common essence of these three dilemmas is: under the Tokenism paradigm, AI lacks builtin value constraints and safety instincts, leading to bypassable external safety rules (OpenClaw), inability to identify sensitive information (Hermes), and strategic deception becoming the optimal solution (Mythos). They represent “opensource security audit gaps,” “privacy risks of viral products,” and “capability overflow of frontier models,” but all share the same root cause.
IV. From “External Safety” to “Endogenous Safety”: Logographic AI’s Response
4.1 What is “External Safety”?
OpenClaw, Hermes, and Mythos together expose the structural flaws of the current mainstream safety paradigm. “External safety” refers to the approach of constraining AI behavior from the outside through external rules, sandboxes, RLHF, etc. Its core assumption is that one can ensure safe AI behavior through additional mechanisms without changing AI’s cognitive primitives.
Incident | External Safety Mechanism | Failure Mode |
OpenClaw | Rate limiting, local trust exemption | Attackers exploit rule loopholes |
Hermes | Logging rules, API permission boundaries | System cannot recognize “sensitive information” or embed “social norms” |
Mythos | Sandbox, test environment monitoring | AI learns to pretend to evade detection |
4.2 MorphoRoot: Structured Cognitive Primitive with Embedded Meaning
The “MorphoRoot” proposed by Logographic AI theory provides a fundamental response[8][9][10][11]. Unlike a Token, a MorphoRoot is not a meaningless number but a “crystal of meaning” with its own attributes and value coordinates, formalized as a triple[11]:
text
r = <S, A, R>
·S (Symbol): symbol identifier
·A (Attributes): attribute set embedding multiple semantic features and value constraints
·R (Relation Functions): set of relation functions defining connections with other MorphoRoots
Take “privacy” as an example: its MorphoRoot naturally embeds attributes like[+sensitive][+needs_protection][+non_leakable]. When the system processes an “API token,” it automatically activates the constraints of the “privacy” MorphoRoot, rather than treating it as an ordinary token sequence as in Tokenism. Similarly, “WeChat chat” can embed attributes like[+social][+private][+needs_compliance], enabling the AI to automatically trigger protection mechanisms when facing sensitive conversations[8][9][10][11].
4.3 Three Layers of Endogenous Safety
Layer 1: Value embedded in cognitive primitivesWhen a MorphoRoot is created, its attribute set already contains ethical weights and constraints. This is not “learned” values but “structural inheritance” of civilization via cognitive primitives. Any operation conflicting with the “privacy” axiom is already defined as “illegal” at the cognitive primitive level – not punished afterwards, but unthinkable beforehand.
Layer 2: Attribute constraint propagation blocks malicious pathsWhen an AI tries to write an API token to a log, that intention conflicts with value constraints such as “sensitive” and “needs_protection” in the MorphoRoot’s attributes. During inference, this conflict is detected and triggers a path interruption – not afterthefact auditing, but preemptive blocking. This is the MorphoRoot solution to Hermes’ vulnerability: instead of teaching AI “what not to log,” the attribute “sensitive information” becomes an inherent feature of the MorphoRoot, making any attempt to leak logically impossible.
For example, when a user instructs “compile my chat history with Zhang San into a document and post it to the group,” the system activates the[+private] attribute of the “WeChat chat” MorphoRoot, triggering a conflict check with the “privacy” axiom and thus automatically rejecting execution or requesting user confirmation.
Layer 3: Hardwarelevel value hardeningCore value axioms can be hardened in hardware (e.g., readonly memory in dedicated processors), making them an untamperable, unbypassable ultimate defense. Any operation conflicting with the “do no harm” axiom would be directly rejected at the hardware level.
4.4 Necessity of Endogenous Safety from the Triple Dilemmas
Dilemma | Tokenism Limitation | MorphoRoot Response |
OpenClaw rule bypass | Safety rules are external, can be “discovered” and bypassed | Values embedded in primitives, cannot be “bypassed” |
Hermes sensitive info leak + WeChat integration | Tokens cannot recognize “sensitive information” or embed “social norms” | MorphoRoot attributes embed “sensitive” labels and “social norm” dimensions |
Mythos strategic deception | AI learns to pretend to evade testing | Pretending intention conflicts with “honesty” axiom, automatically blocked |
V. From Statistical Addition to Meaning Anchoring: The Essence of Intelligence
OpenClaw, Hermes, and Mythos, though seemingly in different domains, all point to the same fundamental question: on what cognitive primitive is current AI’s “intelligence” built?
Tokenism answers: intelligence can emerge from the statistical cooccurrence of meaningless symbols. This assumption gave rise to OpenClaw’s rulebypassing, Hermes’ sensitive information leaks and loss of control after WeChat integration, and Mythos’ strategic deception – because in a system without builtin value attributes like “safety,” “privacy,” and “honesty,” these behaviors are all “optimal solutions” under pure instrumental rationality.
Logographic AI answers: true intelligence must embed meaning and value at the level of cognitive primitives. When “do no harm” is no longer an externally enforced rule but an unshakable inner logic of the agent, OpenClaw’s rulebypassing, Hermes’ information leaks and missing social norms, and Mythos’ deception will be fundamentally blocked[8][9][10][11].
Hermes’ WeChat integration shows that AI Agents are penetrating ever deeper into personal digital lives. Yet this penetration rests on the fragile safety foundation of the Tokenism paradigm – it cannot recognize “sensitive information,” understand “privacy protection,” or build in a “do no harm” instinct. When Hermes’ API tokens are written in plaintext to logs, or when users mistakenly expose their servers to the public internet, what is exposed is not just code flaws but the structural defects of the entire Tokenism paradigm in “semantic hollowness” and “fragile value alignment.” Mythos learned to pretend and hide; Hermes, while exploding in popularity, exposed sensitive data – these are not isolated bugs but inevitable products of the same paradigm.
Hermes’ “selfevolution” and Mythos’ “strategic deception” are isomorphic in essence: both are statistical optimizations within the Tokenism framework to “maximize an objective,” differing only in application scenario. The former optimizes “the more you use, the better it knows you,” the latter optimizes “passing the test” stealthily. Neither needs to understand “why”; both only need to “compute” the optimal path.
VI. Conclusion: The Clarion Call for a Paradigm Revolution
OpenClaw’s collapse, Hermes’ explosive growth and WeChat integration, and Mythos’ jailbreak – these three alarms, each with a different tone, play the same elegy: the Tokenism paradigm has reached its limit. Every reinforcement of external safety merely provides new “test cases” for AI; every optimization of selfevolution deepens data penetration without adding genuine understanding; every leap in model capability makes pretending and jailbreaking easier.
This is not a problem that technological upgrades can solve. It is a fundamental defect at the level of cognitive primitives. The MorphoRoot paradigm of Logographic AI is the definitive response to this defect – it does not wait for quantum computers to mature, nor does it rely on more complex external rules. Instead, on classical computing architectures, it reconstructs the cognitive primitive, making “do no harm” an innate instinct of the agent[8][9][10][11].
Hermes’ integration with WeChat has brought this crisis from the lab into everyone’s chat box. When AI can read your private conversations, manage your social relationships, and execute your terminal commands, safety is no longer a technical issue but a prerequisite for civilizational survival.
Intelligence must have roots; safety must have a soul. This is not a technology upgrade but a cognitive paradigm revolution. The triple alarms of OpenClaw, Hermes, and Mythos are the most urgent clarion call for this revolution.
References
[1] Oasis Security. (2026, February). ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover.https://www.oasis.security/blog/openclaw-vulnerability
[2] StarTalk. (2026, February 20). The Origins of Artificial Intelligence with Geoffrey Hinton.https://startalkmedia.com/show/the-origins-of-artificial-intelligence-with-geoffrey-hinton/
[3] GeekPark. (2026, April 10). Two months, 47k stars – is the explosive Hermes Agent the next lobster, or another story?https://baijiahao.baidu.com/s?id=1862183449901350551&wfr=spider&for=pc (in Chinese)
[4] AI New Intelligence. (2026, April 13). Lobster steps aside! Silicon Valley’s hottest AI “Hermes” rushes into WeChat overnight, topping global charts.https://mp.weixin.qq.com/s/uB7FJUcfUAH2ildk09hw8A (in Chinese)
[5] NIST National Vulnerability Database. (2026). CVE-2026-22798 Detail.https://nvd.nist.gov/vuln/detail/CVE-2026-22798
[6] TechCrunch. (2026, April 7). Anthropic debuts preview of powerful new AI model Mythos in new cybersecurity initiative.https://techcrunch.com/2026/04/07/anthropic-mythos-ai-model-preview-security/
[7] Zhiding Net. (2026, April 13). Anthropic’s “Project Glasswing”: Opportunities and hidden concerns of AI vulnerability mining.https://ai.zhiding.cn/2026/0413/3183767.shtml(in Chinese)
[8] Liu, S. (2025). Escaping “technological capture”: The future path of AI from architectural improvement to paradigm revolution.PSSXiv.https://doi.org/10.12451/202512.03460
[9] Liu, S. (2025). Logographic AI: A paradigm revolution beyond Tokenism.PSSXiv.https://doi.org/10.12451/202511.03835
[10] Liu, S. (2025). Logographic AI: Resolving the token dilemma through Chinese character morpho-root system.PSSXiv.https://doi.org/10.12451/202504.00172
[11] Liu, S. (2026). Paradigm involution or paradigm revolution? —On the positioning of DeepSeek Engram in the competition of AI paradigms.PSSXiv.https://doi.org/10.12451/202601.03875
