This server gives an LLM the ability to move a real mouse, press real keys, and run arbitrary shell commands on the host. Treat it accordingly.

1. Isolate the WSL distro. Don't run this on your daily Ubuntu. wsl --import hermes-cu Ubuntu-24.04 gives you a disposable instance.
2. Strip run_shell from the MCP tool list if the agent doesn't need filesystem / shell access. It's an escape hatch — remove it in production.
3. Scrub the Chrome profile regularly. $CU_PROFILE_DIR accumulates cookies, autofill, passwords. rm -rf between tenants.
4. Restrict VNC exposure.
   • x11vnc runs with -nopw by default. Add -rfbauth /path/to/passwd for production.
   • Bind noVNC to 127.0.0.1 by editing systemd/novnc.service (add --listen-host=127.0.0.1).
5. Segment network access. Use iptables or WSL mirrored networking with Windows Defender Firewall rules if the browser shouldn't reach internal services.
6. Observe, don't trust. Keep the noVNC tab open during long-running sessions. If the agent starts doing something unexpected, kill the service.

• No built-in authentication between hermes-agent and this MCP server. stdio transport assumes the client process is trusted.
• No audit log of tool calls. Add one via the client's gateway logs or wrap src/hermes_computer_use/server.py with a logging proxy if you need SOC-level traceability.
• No anti-detection patches beyond stock Chrome flags. This project's thesis is that "no abnormal signals" > "sophisticated evasion." If you fight the fingerprinting arms race, you move outside this repo's scope.

Email the maintainer. Do not open public issues for security-sensitive findings.