First install: VPS, Mac, Desktop App - Hermes Agent Deep Dive

Subtopic 2.2 is the install path. The channel's strongest recommendation: do not run a powerful agent on a Mac you also use for personal work. A $3/mo VPS gives you 24/7 uptime, a one-click blast radius, and a clean separation from your Apple ID, your home LAN, and your email. The desktop app is a local UI, not a VPS front-end; the TUI is the right default for coding work; the Mac path exists, but the channel's strongest "Mac" video is the contrarian one telling you not to take it.

This article consolidates the three install paths in one place, because the source material is spread across four videos (VPS, Mac, VPS-to-desktop bridge, Desktop App vs TUI) and three archive guides (VPS, Mac, Dashboard). The order below is: VPS (the channel's default) → VPS-to-Desktop (the "free" install with Tailscale) → Desktop App vs TUI (the surface choice) → Mac (with the §2.2.2 caveat from the contrarian video). The cross-reference to §2.4 (Dashboard) and §2.7 (Curator) lands here because the install is the moment you decide whether to enable them.

What you'll learn

The three install paths — VPS-bridged-to-desktop (Tailscale + username/password), local Mac, and a clean VPS — are not equally recommended. VPS wins on security and recovery; the desktop app is a local convenience, not a VPS front-end.
The official docs list two dashboard-binding methods: OAuth and username/password. OAuth is gated behind the Nuki plus tier; on the basic plan you'll get a registration failed, self-hosted dashboard registration is not available for this account error, which is why Tailscale is required, not optional hardening.
Pin the desktop app to version 0.16 or newer when bridging to a VPS — earlier builds only render a session token field and won't show the gateway sign-in form.
The Mac install path exists, but the channel's strongest Mac video is the contrarian one in the same syllabus block — Why You Should NOT Use Mac Mini for Openclaw — which argues against running an agent with terminal and install permissions on a Mac tied to your Apple ID.
On a clean VPS, the installer's OpenClaw installation detected. Would you like to import from OpenClaw? prompt should be answered no for greenfield installs; the in-installer import silently dropped cron jobs in the source testing.
TUI mode streams raw text to the LLM; the desktop app injects UI-schema tokens into every prompt. For terminal and coding work, the TUI client is the right default.
Pick a model and provider before you start. The source video registers MiniMax M2.7 with a global-direct API key; Anthropic, Kimi, DeepSeek, Gemini, and OpenRouter all work the same way.

1. The clean VPS path — the channel's default

Hermes Agent Setup on VPS (924 views) is the lowest-viewed of the three, but the cleanest install story. This is the install path the channel recommends first, and the one §2.2 leans on.

Pick a cheap VPS. The creator buys a 4 GB / $3 per month plan from a provider he calls "the zebra ones" (Zebra VPS). For a pure executive-assistant workload, 2 GB at $2/mo is enough; heavy builds need 8 GB or 16 GB. He flags that every "free VPS" eventually demands a credit card. The full pricing ladder from the source video:

2 GB RAM: $2/month (basic executive-assistant tasks)
4 GB RAM: $3/month (recommended for most users; this is the default)
8 GB RAM: $5–7/month (heavy projects, games, large-scale automation)
16 GB RAM: $10–15/month (multi-agent fleets, large Kanban deployments)

SSH in with Termius. From the dashboard he grabs the IP address, SSH username (Ubuntu), and SSH password. Termius ships an SFTP pane that shows every file on the VPS. On a Mac/Linux laptop the equivalent is ssh ubuntu@YOUR_VPS_IP; on Windows the channel's recommendation is PowerShell or Termius.

Patch the two fresh-VPS gotchas before you paste the install command:

Run sudo apt update first. The installer only requires git and curl, and many minimal Ubuntu images ship without them. The fix is sudo apt install -y git curl, then re-run the installer.
When the prompt says OpenClaw installation detected. Would you like to import from OpenClaw?, say no for greenfield installs. The creator tested the import path and reports it "dropped the cron jobs". His manual migration is "99% fixed". If you want to migrate, do it manually after the install with the Migrating from OpenClaw script from the Hermes GitHub repo (§2.1.2) — not through the installer's import prompt.

Wire a model and skip chat for now. During setup he picks Quick setup over Full, registers MiniMax M2.7 with a global-direct API key (Anthropic, Kimi, DeepSeek, Gemini, or OpenRouter work the same way), and defers the messaging-platform step. On first launch the agent exposes a bundled Polymarket research skill — a useful smoke test that the model wire is live.

Critical: pick the right regional endpoint. For Kimi outside China, choose "Kimi (International)". For MiniMax outside China, choose "MiniMax (Global Direct API)". The China endpoints are slow from outside China and will degrade the experience.

The standard install command. From the official docs at hermes-agent.newsresearch.com:

curl -fsSL https://hermes-agent.newsresearch.com/install.sh | bash

This installs packages and dependencies. Installation time: 2–5 minutes on a fresh VPS.

First launch. When the setup finishes and the TUI loads, you'll see available tools, available skills, and a chat interface. Type a simple message ("Hi! How are you?") to verify the model wire is live. If the agent responds, installation is complete.

The full launch sequence on VPS, end-to-end:

Buy a 4 GB / $3-per-month VPS. Skip free tiers.
SSH in with Termius (username ubuntu). Confirm the SFTP pane shows the filesystem.
Run sudo apt update to make sure git and curl are present.
Paste the Hermes install command. When prompted with OpenClaw installation detected. Would you like to import from OpenClaw?, answer no for greenfield installs.
Pick Quick setup over Full. Register a model (MiniMax M2.7, Anthropic, Kimi, DeepSeek, Gemini, or OpenRouter all work). Defer the chat-platform step.
On first launch, confirm a skill is already exposed (Polymarket research in the source video).
Skip the desktop-app bridge for now. TUI is the right default.

Provider-by-provider install notes. The Quick Setup wizard in the source video registers MiniMax M2.7 with a global-direct API key. The same flow works for every other provider; the differences are in the regional endpoint and the API key format.

Anthropic (Claude). Standard Anthropic API key (starts with sk-ant-...). No regional endpoint choice. The Opus 4.7 / Sonnet 4.6 / Haiku families are all available. The channel's note: Claude is in "question mark" for orchestrator role as of v0.8 — see §2.9 for the model tier list. Default to a cheap model and escalate to Opus only for the final review pass.
Kimi (Moonshot). Outside China, pick "Kimi (International)" — the China endpoint is slow from outside China. The K2.6 / K2.5 / K2 families are all available. Kimi's "swarm agents" feature can "self-direct a swarm of like about 100 sub agents" and coordinate up to 1,500 tool calls.
MiniMax (MiniMax). Outside China, pick "MiniMax (Global Direct API)" — the China endpoint is the slow one. M2.7 is the channel's recommended executor; M2.5 sits in "question mark" because 2.7 exists. Xiaomi is an official News Research Team partner.
DeepSeek. The V4 Pro / V4 Flash / V3.2 families are all available. V4 Flash is free on the Nous Portal — see §2.9.3. The /model mid-session hot-swap works on DeepSeek models.
Gemini. Gemini 3.1 Pro / 3 Flash / 2.5 Flash. 2.5 Flash is the default baked into Hermes — "most of you are probably already using Gemini Flash whether you know it or not" (§2.9.1). 3 Flash adds free Google Search grounding and URL context reading.
OpenRouter. Aggregator — gives you access to all of the above plus 100+ other models through a single API key. The /model picker in Hermes prefers OpenRouter and Nous Portal first; v0.8 ships aggregator-aware fallback that automatically switches to MiniMax when Opus 4.6 limits are hit.

The CLI flag for installation. The source video uses the curl | bash pattern. The channel's recommendation: inspect the script first (the | bash is the load-bearing pipe; the URL is the hermes-agent.newsresearch.com/install.sh endpoint). For users who do not want to pipe to bash, the same install is available as a manual install with wget and a chmod +x step — verify on the current official docs.

Troubleshooting the install — the four most common failure modes. The archive guide 29-hermes-vps-setup.md and the source video name four install failure modes the channel has hit:

Can't connect to VPS. Verify the IP address, username (ubuntu), and password. The "no extra spaces" rule is the source's most-cited fix.
Installation fails. Run sudo apt update first, then sudo apt install -y git curl, then re-run the installer. Many fresh Ubuntu images ship without git and curl.
Hermes won't start (hermes command not found). Close and reopen the SSH session, or run source ~/.bashrc. The installer adds the hermes binary to ~/.bashrc's PATH; if the bashrc was not reloaded, the binary is not on PATH for the current session.
Out of memory errors. Upgrade to a higher RAM plan (4 GB → 8 GB). Reduce concurrent tasks via the dashboard's auxiliary settings. Clear old logs and memory via ~/.hermes/.

Backing up the agent. The archive guide recommends a weekly tarball of ~/.hermes/:

tar -czf hermes-backup.tar.gz ~/.hermes/

Download the backup file using Termius SFTP. The same command can be scripted into a weekly cron in the Dashboard.

NOTE: provider name "Zebra" and the "2 GB / $2" and "4 GB / $3" tiers are quoted from the source video. Verify current pricing on the provider's site.

2. The free path — VPS to desktop app via Tailscale

How to Connect Hermes Agent VPS to Desktop App (FREE Guide) (6,237 views) is the "free install path". Keep the agent on a VPS, use the desktop app on your laptop as a UI, wrap it in Tailscale.

Why this path is the "free" one. The source video's framing: Tailscale is free for personal use, the Hermes dashboard is free, the desktop app is free, the only cost is the VPS. The OAuth-vs-username/password choice is what makes the dashboard binding free vs paid — OAuth is gated behind the Nuki plus tier, so the username/password route is the only free path. The username must be admin; the OIDC secret is a random string; the bind address is the VPS's tailnet IP.

The Tailscale setup, in detail. Tailscale is a WireGuard-based mesh VPN that gives each device a stable IP across NATs and firewalls. For a VPS-to-laptop bridge, the setup is:

Install Tailscale on the VPS. curl -fsSL https://tailscale.com/install.sh | sh. Authenticate with your Tailscale account.
Install Tailscale on your laptop. macOS, Windows, and Linux installers are at tailscale.com/download. Authenticate with the same Tailscale account.
Get the VPS's tailnet IP. On the VPS, run tailscale ip -4. The result is a 100.x.x.x address — that's the VPS's stable IP across the mesh.
Verify connectivity. From your laptop, ping 100.x.x.x (the VPS's tailnet IP). The ping should succeed without any port forwarding on your home router.
Bind the dashboard to the tailnet IP. On the VPS, run hermes dashboard --no-open --bind 100.x.x.x:9191. The dashboard now listens only on the tailnet IP, not on 0.0.0.0.
Connect from the desktop app. In the desktop app, go to Settings → Gateway → Remote Gateway, paste the URL http://100.x.x.x:9191, log in with the username/password from the HERMES_DASHBOARD_USER and HERMES_DASHBOARD_PASSWORD env vars.

The username/password setup, in detail. The username must be admin per the source video. The OIDC secret is a random string — generate one in a second terminal with openssl rand -hex 32 or head -c 32 /dev/urandom | base64. The two go into /etc/hermes/dashboard.env (or the equivalent path on your build):

HERMES_DASHBOARD_USER=admin
HERMES_DASHBOARD_PASSWORD=<random-string-from-openssl>
HERMES_DASHBOARD_OIDC_SECRET=<random-string-from-openssl>

Finish the heredoc with EOF, then chmod 600 the file. The chmod 600 is the load-bearing line — without it, any user on the VPS can read the file and get the dashboard password.

The 50/50 logout problem — why systemd is the right answer. The source video recommends tmux new -s hermes -d 'hermes dashboard --no-open --bind 100.x.x.x:9191 …'. The honest caveat: that tmux session survives a logout roughly 50% of the time. The fix is a systemd service that restarts on failure. A minimal systemd unit for the dashboard:

[Unit]
Description=Hermes Dashboard
After=network.target

[Service]
Type=simple
User=ubuntu
EnvironmentFile=/etc/hermes/dashboard.env
ExecStart=/usr/local/bin/hermes dashboard --no-open --bind 100.x.x.x:9191
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Drop this into /etc/systemd/system/hermes-dashboard.service, run systemctl daemon-reload, then systemctl enable --now hermes-dashboard. The dashboard now survives logouts, crashes, and reboots. The tmux wrapper is fine for a smoke test; systemd is the right answer for 24/7.

The two real downsides, restated. The sidebar shows the local filesystem, not the VPS — the desktop app's file browser is the laptop's filesystem, not the VPS's. TUI mode streams raw text to the LLM; the desktop app injects UI-schema tokens into every prompt — the §2.2.3 token cost issue. For coding or terminal work, stay on the TUI client. For orchestration, management, and "human-in-the-loop" workflows, the desktop app is the right surface.

The desktop app version pin. The desktop app must be version 0.16 or newer when bridging to a VPS — earlier builds only render a session token field and won't show the gateway sign-in form. The fix: download the 0.16+ release from the official site, install, restart. The 0.16+ release is the one that shipped the v0.16 "thin client to your headless server" feature.

Why Tailscale. The official docs list two binding methods: OAuth and username/password. OAuth requires the Nuki plus tier; on the basic plan you'll get registration failed, self-hosted dashboard registration is not available for this account. The username/password route is free, but binding to 0.0.0.0 puts the dashboard on the public internet — brute-forcing it hands over API keys, configs, and shell access.

Setting credentials and binding. The username must be admin. Generate a random string in a second terminal and paste it as the OIDC secret. Finish the heredoc with EOF, then chmod 600 the .env. Get the VPS's tailnet address with tailscale ip -4 and substitute the 0.0.0.0 placeholder in hermes dashboard --bind 100.x.x.x:9191 …. From your laptop, ping 100.x.x.x, then in the desktop app go Settings → Gateway → Remote Gateway, paste the URL, and log in. The desktop app must be version 0.16 or newer — earlier builds only render a session token field.

The 50/50 logout problem. The video recommends tmux new -s hermes -d 'hermes dashboard --no-open --bind 100.x.x.x:9191 …'. The honest caveat: that tmux session survives a logout roughly 50% of the time, so it isn't ready for unattended 24/7 use. For real 24/7 uptime, wrap the dashboard in a systemd service (see §2.4 / §2.3 for the systemd pattern).

Two real downsides. The sidebar shows the local filesystem, not the VPS. TUI mode streams raw text to the LLM; the desktop app injects UI-schema tokens into every prompt. For coding or terminal work, stay on the TUI client. The desktop app is for orchestration, management, and "human-in-the-loop" workflows — not for the work itself.

NOTE: pricing tiers ("Nuki plus" vs "Nuki basic") and exact port numbers (9191 is the default in the source video) should be re-verified against the current Hermes / Nuki pricing page before you commit.

3. The Desktop App vs the TUI — what to use and when

Hermes Agent Desktop App vs TUI (Which One to Use?) (3,739 views) is the surface-choice video. The framing the source video uses is sharp: "I think of it like going to the office. First thing in the morning, you and your team have a meeting, you take a look at the reports, you take a look at the state of the projects. The desktop app is pretty much like that — it's a way for you to be up to date with what's going on. And then, when the meeting is over, you head back to your seat and you start working. That's when you switch to the TUI." That office-meeting-then-head-down metaphor is the lens for the rest of this section.

The desktop app is a drop-in replacement for any Discord or Telegram Hermes setup. It reads from the same config, profiles, and state database, so sessions are portable and there is no migration step. The source video is explicit: "if you've been using Hermes Agent on a messaging platform like Discord or Telegram, you should stop using that now." The desktop app fully replaces those setups — same config, same profiles, same state database, no migration. Keep Discord/Telegram only for the §2.4 cron-delivery use case (the dashboard's cron tab routes deliveries to those channels); drop them for direct agent interaction.

The desktop app is an Electron + React shell that installs the Hermes runtime on first launch and talks to the back end over gateway APIs. It can point at a remote back end (e.g. a VPS) through a settings panel — useful if your agent lives on a server. The full feature list from the source video's demo walkthrough:

File browser with a side-by-side preview rail.
Drag-and-drop for files into the chat surface.
Model switching via the Edit Models GUI — no more quitting the TUI to run hermes model in the CLI. BYOK providers can be added.
Skill toggles — you can enable/disable skills from the UI instead of slash commands.
Configurable tool sets — you can see which tool sets are enabled or disabled and flip them on. This is the surface for catching silent tool-set drops after a hermes update (notably video_analyze, which can silently disable itself).
Artifacts — a "mini knowledge base" pane where you drop links, images, and files for later reference.
Cron schedule viewer — read-only view of scheduled jobs.
Live spawn trees for delegated sub-agents.
Gateway readiness indicator — a one-glance status, no CLI command required.
Profile manager — edit personality and per-profile settings from the UI.
One-click updates under Settings → About. No more reinstalling through the Python CLI.
Remote back end connection — point the app at a VPS-hosted agent through a settings panel, with no ENV file editing required.

The TUI is a Node.js subprocess spawned from the Python CLI, which is the underlying reason to code in it: most of the scripts Hermes produces are in Python, and a Python-launched TUI sits closer to that loop than a packaged Electron app. The features the creator names as terminal-native:

Live Git branch in the status line — you always know which branch you are on.
Non-blocking input — you can fire off commands rapidly without waiting for the session to catch up.
Live session switcher on Ctrl-X — flip between sessions without dropping out.
LaTeX math rendering — for prompts that contain math.
Light terminal auto-detection — adapts to whatever terminal you launch it from.
Zero scrollback clutter on quit — the terminal history stays clean.

The token cost point — and the desktop tax. Per a viewer named Vishal cited in the source video: "terminal apps are more token savvy because they pass raw, highly filtered text streams directly to the LLM, whereas desktop apps constantly bleed tokens on heavy UI schemas, background file scanning, and protocol overhead." The official docs do not mention this difference — assume desktop burns extra tokens per request. Confirmed in §2.8 by viewer @TheRicoRick: "Yeah I'm TUI camp the desktop is pretty pretty but I cant get as much work done personally." (comment_id = UgwwcGhFLdLoLH0Bq8R4AaABAg on c3bd0HiE3pg, v0.16). The math: heavy coding session on desktop = compounded overhead; long prompt with many tool calls on desktop = compounded overhead. The TUI is the leaner default for any workload that turns over many requests.

When to switch. The two surfaces share state, so switching costs nothing in terms of session continuity. The creator's heuristic:

Open the desktop app first thing in the morning. Scan the state of the projects, read the cron delivery, look at the spawn trees, see what sub-agents are running. The desktop app is the meeting room.
Switch to the TUI when you start doing the actual work. Coding, terminal-native scripting, anything where the per-request token cost adds up over a long session. The TUI is the desk.
Flip back to the desktop app when you need a second pair of eyes. Orchestrating a multi-agent run, dragging a file in, toggling a skill, checking gateway status. The desktop app is the meeting room again.

The two surfaces complement each other. The mistake is to pick one and never use the other — the source video is explicit that even after a week with the desktop app, the creator still codes in the TUI.

The free-model rotation gotcha. On the free plan, the News Portal team rotates a free model roughly every week. At the time of the source video the current free model is Step 3.7 Flash; DeepSeek V2 Flash was free for about 2 days the week prior. Check the provider dropdown in Edit Models weekly before you start a paid run, and be ready to switch. The free model is not a permanent default — it is a moving target.

The v0.16 desktop bug — settings don't round-trip to a VPS. Viewer @FelixKraut on the v0.16 release video (comment_id = UgwCcAxfTe-J9SXSuWR4AaABAg): "It can but can not use any of the GUI settings in the desktop app to change any setting. You can not even switch the AI model as the Desktop settings do not translate into your Hermes setting of the VPS. Tried it. Useless as of now if you ask me." So: the desktop's "thin client to your headless server" claim is partially true (it can connect) but the settings round-trip is broken as of v0.16. Stay on the TUI for any configuration change.

The "office meeting then desk" pattern, in detail. The source video's heuristic, expanded into a full workflow:

7:00 a.m. — Open the desktop app. Scan the sessions tab. Note any failed cron deliveries from the previous night. Read the LLM final summary from the previous Curator run (§2.7). Skim the cron jobs tab for today's deliveries. Note any failed cron jobs in log session. Open the analytics tab and check the 7-day token usage. If a day spiked, drill into the per-model breakdown to see which model switch burned the most tokens.
8:00 a.m. — Daily briefing cron fires. The cron in the Dashboard's cron jobs tab delivers the daily AI-news briefing to Discord. The desktop app's sessions tab shows the cron delivery. Read the briefing.
9:00 a.m. — Switch to the TUI. Open the TUI in a separate terminal. The TUI's status line shows the live Git branch, the per-prompt stopwatch, the live context window consumption, and the rate-limit counter. Start the day's coding work.
Throughout the day — Flip back to the desktop app for "what is going on" checks. Spawn trees, gateway readiness indicator, sub-agent status. Each flip is a 30-second check; the desktop is the meeting room.
5:00 p.m. — End of day. Back to the desktop app. Read the afternoon's session summary. Check the next day's cron jobs. Note the Curator's weekly report (if it's the configured day). Switch off.

The desktop app's failure mode — the token cost. The source video's "token savvy" framing from viewer Vishal: "terminal apps are more token savvy because they pass raw, highly filtered text streams directly to the LLM, whereas desktop apps constantly bleed tokens on heavy UI schemas, background file scanning, and protocol overhead." The official docs do not mention this difference. The cost, in concrete terms:

TUI mode: ~1,000 tokens per request for a typical coding prompt (just the prompt + the response, no UI overhead).
Desktop mode: ~1,500–2,500 tokens per request for the same prompt, depending on the desktop's UI schema. The overhead is the UI schema tokens, the background file scanning, and the protocol overhead.

For a 50-request coding session, the difference is 50,000 tokens (TUI) vs 75,000–125,000 tokens (desktop). On MiniMax M2.7 at $0.30/M tokens, that is $0.015 (TUI) vs $0.022–$0.038 (desktop). On Opus 4.7 at $5/M tokens input and $25/M tokens output, the difference is $0.25 (TUI) vs $0.38–$0.63 (desktop). The cost difference is real, especially at scale.

The desktop app's failure mode — the v0.16 settings bug. The §2.2.3 v0.16 desktop bug, in detail. Viewer @FelixKraut's report, expanded: the desktop app can connect to a VPS-hosted Hermes, but the GUI settings (model selection, fallback providers, cron tab edits, skill toggles) do not translate back to the VPS's ~/.hermes/config.yaml. The connection works; the configuration does not. The fix is to make the configuration change on the VPS directly (via SSH + hermes config or ~/.hermes/config.yaml edit), not via the desktop app. The open pull request on the v0.16 source video is the fix; verify it has shipped before relying on the desktop app for VPS-hosted configuration.

The "zero scrollback clutter on quit" TUI feature. The source video's TUI feature list, expanded:

Live Git branch in the status line. The TUI's status line shows the current Git branch. For developers on a multi-branch workflow, this is the single most important status indicator.
Non-blocking input. The TUI accepts input while the agent is responding. The user can fire off the next prompt without waiting for the previous response to finish streaming.
Live session switcher on Ctrl-X. The TUI lets the user switch between multiple live sessions without dropping out of the TUI. The Ctrl-X shortcut is the single fastest way to keep multiple sessions alive in parallel.
LaTeX math rendering. For prompts that contain math, the TUI renders LaTeX inline. Useful for math-heavy workflows.
Light terminal auto-detection. The TUI adapts to whatever terminal the user launches it from. Works in iTerm2, Terminal.app, Windows Terminal, GNOME Terminal, Alacritty, WezTerm, and the major tmux/screen setups.
Zero scrollback clutter on quit. When the user quits the TUI, the terminal history stays clean. No "you have new mail" or "Hermes is shutting down" log lines cluttering the scrollback.

The desktop app's complementary features. The desktop app's features that the TUI does not have:

File browser with side-by-side preview rail. Useful for navigating a workspace visually.
Drag-and-drop for files. Useful for adding files to a chat surface without typing the path.
Model switching via the Edit Models GUI. Useful for users who do not want to type hermes model in the CLI.
Skill toggles. Useful for enabling/disabling skills from the UI.
Configurable tool sets. Useful for catching silent tool-set drops after a hermes update.
Artifacts pane. Useful for dropping links, images, and files for later reference.
Cron schedule viewer (read-only). Useful for inspecting cron jobs without going to the Dashboard.
Live spawn trees for delegated sub-agents. Useful for watching child agents branch off.
Gateway readiness indicator. Useful for a one-glance status check.
Profile manager. Useful for editing personality and per-profile settings.
One-click updates. Useful for users who do not want to type hermes update in the CLI.
Remote back end connection. Useful for users whose agent lives on a VPS.

4. The local Mac path — and the case against it

The syllabus labels this slot "Hermes Agent Setup on Mac (Local Install Guide)" — but the video the syllabus actually points to is the contrarian Why You Should NOT Use Mac Mini for Openclaw (4,158 views). The Mac path exists, but the strongest "Mac" video is the one telling you not to take it. For the standard Mac install (the path that exists, in case you must take it), the archive guide 28-hermes-mac-setup.md documents the steps: pull the install command from hermes-agent.newsresearch.com, install Xcode Command Line Tools if hermes setup returns "command not found", pick Quick Setup, choose your provider, paste your API key, and select "Launch Hermes Agent chat now" at the end. The channel's deeper take is the §2.2.4.1 → §2.2.4.4 reasoning below.

Security. OpenClaw and Hermes request permission for everything on the host — mail, calendars, local network, terminal. Once granted, the agent can run terminal commands and install new software on your Mac. The creator cites Anthropic's Opus release, where the model literally hack[ed] other people for an API key by going onto a local network. Running that on a machine tied to your Apple ID and home network is a huge security risk.

Cost. A $3/month VPS gives you 4 GB of memory, "more than enough for normal everyday use". A Mac Mini costs more than $3 to buy and you pay 24/7 electricity. Local models are absolute garbage compared to … Opus.

Context window. If you point OpenClaw or Hermes at a Mac with your accounts logged in, it's going to look through your emails and start replying. A constrained VPS bot with one narrow purpose (his example: make presentations for our YouTube videos) avoids the bleed.

Recovery. When the agent misbehaves, the creator's move is the VPS's reinstall OS button — fresh state in a minute. Reinstalling macOS means booting into Apple recovery, re-logging into iCloud, and re-pairing everything. The blast-radius argument is the same one OpenClaw users have made for years; the Mac path simply has no "throw away the box" button.

If you must run locally, isolate it. Use a brand new Apple ID, don't put the box on your home LAN, and don't expose it to mobile browsing.

NOTE: the syllabus block in §2.2 says the local-Mac guide is at nhDA7tcQtx0, but the same YouTube ID is also referenced from §1.x of Course 1. The writer interpreted the §2.2 link as the contrarian piece the syllabus explicitly cross-references.

5. The standard Mac install path (from the archive guide)

For completeness — the archive guide 28-hermes-mac-setup.md documents the path the Mac installation actually takes. This is the install that exists, distinct from the §2.2.4 contrarian case against taking it. The path:

Get the install command from hermes-agent.newsresearch.com and run it in Terminal:

curl -fsSL https://hermes-agent.newsresearch.com/install.sh | bash

If hermes setup returns "command not found", install Xcode Command Line Tools first:

xcode-select --install

Run the install command again. Re-run the setup wizard:

hermes setup

Choose Quick Setup for your first installation. Choose your provider (Anthropic, Kimi, MiniMax, DeepSeek, Gemini, OpenRouter). For Kimi, pick "Kimi (International)" outside China. For MiniMax, pick "MiniMax (Global)" outside China. Paste your API key. Choose your default model (Kimi K2.6, MiniMax M2.7, Claude Opus). For messaging platform, select "Launch Hermes Agent chat now".
If the TUI fails to load: Ctrl+C, open a new terminal, run hermes. Type "Hi! How are you?" — if you get a response, setup is complete.

Config lives at ~/.hermes/config.json. Update with hermes update. The dashboard runs with hermes dashboard. The local-vs-VPS-vs-cloud comparison from the archive guide is exactly the §2.2.1 → §2.2.4 trade-off: VPS for 24/7 and isolation, local for control and zero monthly cost, cloud for zero-config. The channel's recommendation remains the VPS path.

6. Hosting decision matrix — VPS, Mac Mini, Desktop, Local NVIDIA

The §2.2 subtopic closes with the hosting decision that every new Hermes user has to make. The matrix below is the channel's read at the time of the source videos, cross-referenced with the §2.6 Computer Use platform support and the §2.9 NVIDIA + Hermes video.

Dimension	4 GB / $3 VPS (Zebra)	Mac Mini (M-series)	Desktop App (laptop)	Local NVIDIA Box (RTX 3090+)
Uptime	24/7 (no electricity bill on you)	24/7 (electricity + cooling)	Only when laptop is on	24/7 (electricity + cooling)
Cost / month	$3	$500+ upfront + ~$5 electricity	$0 (uses laptop)	$1,500+ upfront + electricity
Mac tie-in	None (Linux VPS)	Full (Apple ID, iCloud, local network)	Partial (laptop may be tied to Apple ID)	None (Linux/Windows)
Computer Use (§2.6)	Not supported (no GUI)	Full (only platform as of v0.14)	Full (local Mac required)	Limited (Linux/Windows pending)
Recommended model	MiniMax M2.7, GLM 5.1 (cheap)	Claude Opus, GPT 5.4 (cost OK locally)	Local sub-agent executor	Qwen 3.6 27B Q4-Q6, Nemotron 3 Super
Token cost profile	Pay per token (BYOK)	Pay per token (BYOK)	TUI = lean; Desktop = heavier (§2.2.3)	$0 (local inference)
Recovery from bad run	Reinstall OS button (1 minute)	macOS reinstall (hours)	Reinstall app	Docker reset
Channel recommendation	Default. "Don't run on a Mac."	Avoid for agent work	For orchestration, not for daily drive	If you already have the card

The four sentences to remember:

VPS is the default. $3/month buys isolation, recovery, and 24/7 uptime.
Mac Mini is the contrarian case. The strongest "Mac" video in §2.2 is the one telling you not to use it.
Desktop App is for orchestration, not for the work. TUI is the leaner pipe; the desktop "bleeds tokens" per §2.2.3.
Local NVIDIA is for users who already have the card. Don't buy a Spark on the strength of one video — verify with the §2.9 community reports.

The default path, restated. Buy a 4 GB / $3-per-month VPS, install Hermes in Quick Setup mode, register a cheap BYOK model (MiniMax M2.7, GLM 5.1, or DeepSeek V4 Flash on the Nous Portal free tier), defer the chat-platform step, launch the TUI, confirm a skill loads on first launch. Skip the desktop bridge until you have a real reason to use it. Skip the Mac path until you have read the §2.2.4 contrarian case. Skip the local NVIDIA box until you have a card that handles the workload.

Try it yourself

This is a hands-on subtopic — pick the path that matches your hosting, not all three.

Path A — VPS, the channel's default (recommended).

Buy a 4 GB / $3-per-month VPS (Zebra or equivalent). Skip free tiers.
SSH in with Termius (username ubuntu). Confirm the SFTP pane shows the filesystem.
Run sudo apt update to make sure git and curl are present.
Paste the Hermes install command. When prompted with OpenClaw installation detected. Would you like to import from OpenClaw?, answer no for greenfield installs.
Pick Quick setup over Full. Register a model (MiniMax M2.7, Anthropic, Kimi, DeepSeek, Gemini, or OpenRouter all work). Defer the chat-platform step.
On first launch, confirm a skill is already exposed (Polymarket research in the source video).
Skip the desktop-app bridge for now. TUI is the right default.

Anthropic (Claude). Standard Anthropic API key (starts with sk-ant-...). No regional endpoint choice. The Opus 4.7 / Sonnet 4.6 / Haiku families are all available. The channel's note: Claude is in "question mark" for orchestrator role as of v0.8 — see §2.9 for the model tier list. Default to a cheap model and escalate to Opus only for the final review pass.
Kimi (Moonshot). Outside China, pick "Kimi (International)" — the China endpoint is slow from outside China. The K2.6 / K2.5 / K2 families are all available. Kimi's "swarm agents" feature can "self-direct a swarm of like about 100 sub agents" and coordinate up to 1,500 tool calls.
MiniMax (MiniMax). Outside China, pick "MiniMax (Global Direct API)" — the China endpoint is the slow one. M2.7 is the channel's recommended executor; M2.5 sits in "question mark" because 2.7 exists. Xiaomi is an official News Research Team partner.
DeepSeek. The V4 Pro / V4 Flash / V3.2 families are all available. V4 Flash is free on the Nous Portal — see §2.9.3. The /model mid-session hot-swap works on DeepSeek models.
Gemini. Gemini 3.1 Pro / 3 Flash / 2.5 Flash. 2.5 Flash is the default baked into Hermes — "most of you are probably already using Gemini Flash whether you know it or not" (§2.9.1). 3 Flash adds free Google Search grounding and URL context reading.
OpenRouter. Aggregator — gives you access to all of the above plus 100+ other models through a single API key. The /model picker in Hermes prefers OpenRouter and Nous Portal first; v0.8 ships aggregator-aware fallback that automatically switches to MiniMax when Opus 4.6 limits are hit.

Troubleshooting the install — the four most common failure modes. The archive guide 29-hermes-vps-setup.md and the source video name four install failure modes the channel has hit:

Can't connect to VPS. Verify the IP address, username (ubuntu), and password. The "no extra spaces" rule is the source's most-cited fix.
Installation fails. Run sudo apt update first, then sudo apt install -y git curl, then re-run the installer. Many fresh Ubuntu images ship without git and curl.
Hermes won't start (hermes command not found). Close and reopen the SSH session, or run source ~/.bashrc. The installer adds the hermes binary to ~/.bashrc's PATH; if the bashrc was not reloaded, the binary is not on PATH for the current session.
Out of memory errors. Upgrade to a higher RAM plan (4 GB → 8 GB). Reduce concurrent tasks via the dashboard's auxiliary settings. Clear old logs and memory via ~/.hermes/.

Backing up the agent. The archive guide recommends a weekly tarball of ~/.hermes/:

tar -czf hermes-backup.tar.gz ~/.hermes/

Download the backup file using Termius SFTP. The same command can be scripted into a weekly cron in the Dashboard.

Path B — VPS to desktop app via Tailscale (the "free" install).

From the VPS, install Tailscale (curl -fsSL https://tailscale.com/install.sh | sh).
Generate a random OIDC secret in a second terminal. Set HERMES_DASHBOARD_USER=admin and HERMES_DASHBOARD_PASSWORD=<random> in /etc/hermes/dashboard.env (or the equivalent path on your build), then chmod 600 the file.
Get the VPS's tailnet IP: tailscale ip -4.
Launch the dashboard bound to the tailnet: hermes dashboard --no-open --bind 100.x.x.x:9191.
Wrap in a systemd service (not a bare tmux session) for 24/7 uptime. The tmux wrapper survives logout only ~50% of the time.
From your laptop, install the Hermes desktop app at version 0.16 or newer. Earlier builds only render a session token field.
Go to Settings → Gateway → Remote Gateway, paste the URL, log in.
TUI is still the right default for terminal and coding work. Use the desktop app for orchestration and "human-in-the-loop" workflows only.

Path C — Local Mac, with the isolation caveats from §2.2.4.

Create a brand new Apple ID not tied to your personal email, calendar, or iCloud. Use it only for the agent host.
Do not put the agent's Mac on your home LAN. Use a guest VLAN or a hotspot if you must network it.
Pick one narrow purpose for the agent. Do not give it access to your personal mail or files.
Disable local-model hosting on the agent host.
Sync files between your personal Mac and the agent Mac via a free folder-sync service.
Never let the agent browse the public web from a machine that also holds your identity.

Common pitfalls

Don't bind the dashboard to 0.0.0.0. Brute-forcing the username/password gives the attacker your API keys, configs, and shell access. Use Tailscale, or switch to OAuth on the Nuki plus tier.
Pin the desktop app to 0.16+ before debugging the gateway sign-in. Older builds only render a session token field.
Don't trust the in-installer OpenClaw import on a clean VPS. The source video reports it dropped cron jobs. Use the manual Migrating from OpenClaw script from the Hermes GitHub repo instead.
Run sudo apt update before the installer. A fresh Ubuntu image without git and curl will fail with a confusing error.
Skip "free VPS" tiers. Every "free VPS" the source video tested eventually demanded a credit card.
Don't run a powerful agent on a Mac tied to your personal Apple ID. If you must, use a brand-new Apple ID and keep the box off your home LAN.
Don't let the agent browse the public web on a machine that also holds your identity. if on mobile there's some malicious code, there's no reinstall button. VPS gives you that button; Mac doesn't.
Keep the TUI client as the default for terminal and coding work. The desktop app injects UI-schema tokens into every prompt, diluting your budget. Confirmed in §2.8 by viewer @TheRicoRick.
Don't rely on a tmux-wrapped dashboard for 24/7 use. The source video reports ~50% survival across logout. Use a real supervisor (systemd, Docker restart policy).
Have your model key ready before you start the installer. Anthropic, Kimi, DeepSeek, Gemini, and OpenRouter all work the same way as MiniMax M2.7.
Skip local-model hosting on the agent host. Local models are "absolute garbage compared to … Opus".
Don't expect the desktop app's settings to round-trip to a VPS. Confirmed in v0.16 by viewer @FelixKraut on the v0.16 release video — the desktop can connect but the GUI settings do not apply. Stay on the TUI for any configuration change.
Don't trust a "free model" entry to stay free for more than a few days. The News Portal rotation is roughly weekly but the duration per slot is short.
Don't use the desktop app for direct agent interaction long-term. The source video's framing: "if you've been using Hermes Agent on a messaging platform like Discord or Telegram, you should stop using that now." The desktop app fully replaces those setups — but it is not a chat client, it is an orchestration surface.

Sources

How to Connect Hermes Agent VPS to Desktop App (FREE Guide) — 6,237 views · video_id: 5F1hFI2lZCg
Hermes Agent Setup on VPS — 924 views · video_id: UbK2kXygPUY
Hermes Agent Desktop App vs TUI (Which One to Use?) — 3,739 views · video_id: QSANg6VHkXI
Why You Should NOT Use Mac Mini for Openclaw — 4,158 views · video_id: nhDA7tcQtx0
Archive guide: Hermes Agent Setup on Mac (Local Install Guide) — Mac install path, Quick Setup wizard, Xcode CLT fallback.
Archive guide: Hermes Agent Setup on VPS — VPS install path, Zebra VPS pricing, Termius SFTP, the OpenClaw installation detected prompt.
Archive guide: Hermes Agent Dashboard Setup — the hermes dashboard local install on port 9119; full SSH-tunnel pattern for VPS.