Skip to content

Sub-Agent Tool Isolation

Sub-Agent Tool Isolation is a security and structural mechanism in Hermes Agent v0.11 that restricts the capabilities of delegated child agents (sub-agents). By hardcoding specific tools as unavailable, the system prevents sub-agents from performing unauthorized actions, such as recursive delegation, user interaction, or unrestricted code execution^[001-TODO__Hermes_Agent_v0.11_-_结构升级与实战工作流解读.md].

This feature ensures that while sub-agents can process information and manipulate files, they remain bounded within their specific task context and cannot trigger system-wide side effects or bypass human oversight^[001-TODO__Hermes_Agent_v0.11_-_结构升级与实战工作流解读.md].

Restricted Capabilities

By default, sub-agents (regardless of their role) are prevented from accessing the following tools:

  • delegate_task: Denied to prevent uncontrolled recursive spawning of tasks.
  • clarify: Blocked to stop sub-agents from initiating interactions with the user.
  • memory: Sub-agents are barred from writing to the shared MEMORY.md file.
  • send_message: Prevented from sending messages or notifications to external platforms.
  • execute_code: Restricted to avoid "black box" script execution; sub-agents are required to reason step-by-step instead^[001-TODO__Hermes_Agent_v0.11_-_结构升级与实战工作流解读.md].

Role-Based Exceptions

The restriction on tool usage varies based on the assigned role of the sub-agent^[001-TODO__Hermes_Agent_v0.11_-_结构升级与实战工作流解读.md]:

  • Leaf Role: This is the most restrictive mode. A "leaf" agent cannot delegate tasks further and retains all the restrictions listed above.
  • Orchestrator Role: When a sub-agent is assigned the orchestrator role, the restriction on delegate_task is lifted to allow it to coordinate its own set of child tasks. However, the restrictions on clarify, memory, send_message, and execute_code remain strictly in place even for orchestrators^[001-TODO__Hermes_Agent_v0.11_-_结构升级与实战工作流解读.md].

Rationale

The primary purpose of this isolation is to maintain control and predictability within a multi-agent system^[001-TODO__Hermes_Agent_v0.11_-结构升级与实战工作流解读.md]. It enforces a boundary where sub-agents function as processing units rather than autonomous controllers. This is particularly critical in environments involving [[Parallel Code Review]] or Multi-Agent Orchestration, where preventing side effects (like spamming a chat channel or accidentally deleting data via scripts) is as important as completing the task^[001-TODO__Hermes_Agent_v0.11-_结构升级与实战工作流解读.md].

Sources

  • 001-TODO__Hermes_Agent_v0.11_-_结构升级与实战工作流解读.md