Summary
Profile isolation is documented as "fully isolated Hermes environments" with "no cross-contamination." In practice, isolation is broken in two ways:
--clone copies memory files (MEMORY.md, USER.md, and possibly state.db) despite documentation stating the new profile gets "fresh sessions and memory"- Agents can read files across profile boundaries — when an agent can't find information in its own profile directory, it traverses to the default profile's directory and reads from there
These are two symptoms of the same root issue: profile isolation is path-based (via HERMES_HOME) but not enforced at the file access level.
Problem 1: --clone copies memory files
Steps to Reproduce
- Ensure the default profile has memory entries (chat for a while so
MEMORY.md and USER.md have content)
- Run:
hermes profile create testbot --clone
- Check:
cat ~/.hermes/profiles/testbot/memories/MEMORY.md
cat ~/.hermes/profiles/testbot/memories/USER.md
Expected
The memories/ directory should be empty. The new profile should start with clean memory.
Actual
Both MEMORY.md and USER.md are copied from the source profile. state.db may also be copied, which could carry over session history.
Why deleting the files doesn't fix it
The obvious workaround would be:
rm ~/.hermes/profiles/testbot/memories/*
But this leads directly to Problem 2 — once the memory files are gone, the agent falls back to reading from the default profile's directory.
Problem 2: Agents can read files from other profiles
Steps to Reproduce
- Create a profile and clear its memory:
hermes profile create coder --clone
rm ~/.hermes/profiles/coder/memories/*
- Start the coder profile:
coder chat
- Ask it something that would require reading memory or looking up past context
- Observe that it reads files from
~/.hermes/ (the default profile) instead of staying within ~/.hermes/profiles/coder/
Expected
Each profile should only access files within its own HERMES_HOME directory. When memory files don't exist, the agent should treat them as empty — not fall back to another profile's files.
Actual
The agent has unrestricted filesystem access across the entire ~/.hermes/ tree. It can:
- Read
~/.hermes/memories/MEMORY.md (default profile's memory)
- Read
~/.hermes/profiles/writer/memories/MEMORY.md (another profile's memory)
- Access any file in any profile directory
This means profile isolation is effectively cosmetic — any profile can access any other profile's data through file system tools.
Root Cause
HERMES_HOME correctly scopes config resolution (119+ files use get_hermes_home()), but the agent's file access tools (read_file, list_directory, terminal commands) are not restricted to the active profile's directory. The isolation is in path resolution, not in access control.
Suggested Fix
-
Scope file tools to HERMES_HOME: When the agent uses file tools to access paths under ~/.hermes/, restrict access to only the current profile's directory. Paths to other profiles should be blocked or require explicit approval.
-
Fix --clone to skip memory: --clone should not copy memories/ directory contents or state.db. Only config.yaml, .env, and SOUL.md should be copied, matching the documented behavior.
-
Don't fall back to default profile: When a file doesn't exist in the current profile's HERMES_HOME, the agent should not traverse up to ~/.hermes/ to look for it. Missing files should be treated as empty/non-existent.
Environment
- Hermes Agent version: latest
- OS: macOS
Relevant Documentation
From [Profiles: Running Multiple Agents](https://hermes-agent.nousresearch.com/docs/user-guide/profiles):
"A profile is a fully isolated Hermes environment. Each profile gets its own directory containing its own config.yaml, .env, SOUL.md, memories, sessions, skills, cron jobs, and state database. Profiles let you run separate agents for different purposes — a coding assistant, a personal bot, a research agent — without any cross-contamination."
From [Clone config only](https://hermes-agent.nousresearch.com/docs/user-guide/profiles#clone-config-only---clone):
"Copies your current profile's config.yaml, .env, and SOUL.md into the new profile. Same API keys and model, but fresh sessions and memory."
Summary
Profile isolation is documented as "fully isolated Hermes environments" with "no cross-contamination." In practice, isolation is broken in two ways:
--clonecopies memory files (MEMORY.md, USER.md, and possibly state.db) despite documentation stating the new profile gets "fresh sessions and memory"These are two symptoms of the same root issue: profile isolation is path-based (via
HERMES_HOME) but not enforced at the file access level.Problem 1:
--clonecopies memory filesSteps to Reproduce
MEMORY.mdandUSER.mdhave content)hermes profile create testbot --cloneExpected
The
memories/directory should be empty. The new profile should start with clean memory.Actual
Both
MEMORY.mdandUSER.mdare copied from the source profile.state.dbmay also be copied, which could carry over session history.Why deleting the files doesn't fix it
The obvious workaround would be:
But this leads directly to Problem 2 — once the memory files are gone, the agent falls back to reading from the default profile's directory.
Problem 2: Agents can read files from other profiles
Steps to Reproduce
coder chat~/.hermes/(the default profile) instead of staying within~/.hermes/profiles/coder/Expected
Each profile should only access files within its own
HERMES_HOMEdirectory. When memory files don't exist, the agent should treat them as empty — not fall back to another profile's files.Actual
The agent has unrestricted filesystem access across the entire
~/.hermes/tree. It can:~/.hermes/memories/MEMORY.md(default profile's memory)~/.hermes/profiles/writer/memories/MEMORY.md(another profile's memory)This means profile isolation is effectively cosmetic — any profile can access any other profile's data through file system tools.
Root Cause
HERMES_HOMEcorrectly scopes config resolution (119+ files useget_hermes_home()), but the agent's file access tools (read_file,list_directory, terminal commands) are not restricted to the active profile's directory. The isolation is in path resolution, not in access control.Suggested Fix
Scope file tools to HERMES_HOME: When the agent uses file tools to access paths under
~/.hermes/, restrict access to only the current profile's directory. Paths to other profiles should be blocked or require explicit approval.Fix
--cloneto skip memory:--cloneshould not copymemories/directory contents orstate.db. Onlyconfig.yaml,.env, andSOUL.mdshould be copied, matching the documented behavior.Don't fall back to default profile: When a file doesn't exist in the current profile's
HERMES_HOME, the agent should not traverse up to~/.hermes/to look for it. Missing files should be treated as empty/non-existent.Environment
Relevant Documentation
From [Profiles: Running Multiple Agents](https://hermes-agent.nousresearch.com/docs/user-guide/profiles):
From [Clone config only](https://hermes-agent.nousresearch.com/docs/user-guide/profiles#clone-config-only---clone):