Where Hermes + Paperclip Agents Break (and the Fixes)
The real AI agent failure modes when you run Hermes + Paperclip: three cited GitHub bugs, the security traps, and the runaway-cost fixes that actually hold.
>This is the triage layer. Zero-Human Companies goes deeper on each failure mode, the security model, and the guardrails that keep an autonomous company from burning money.

Zero-Human Companies
Build an Autonomous AI Business with Hermes Agent + Paperclip
Summary:
- The real failure modes of a Hermes + Paperclip stack, grouped into three categories.
- The three cited GitHub bugs, with status, so you know which still bite.
- The security and cost traps that are config mistakes, not bugs.
- A copy-paste triage checklist plus the fixes that hold.

The AI agent failure modes that cost you a weekend are not mysterious, and they are not fabricated war stories. They are specific, they are documented, and most of them have an issue number. When you compose Hermes Agent with the Paperclip control plane, the failures fall into three buckets: composition bugs in the glue between the tools, config traps you set yourself, and universal LLM problems that hit any agent runtime. Here is the whole matrix, then the fixes that actually hold.
What are the failure modes, at a glance?
The failures are real. The fixes are specific. No fabricated war stories. Here is the full set:
| # | Failure | Category | Citation | Fix |
|---|---|---|---|---|
| 1 | Session-ID infinite loop | Composition Bug | paperclip#1160 (open) | persistSession: false |
| 2 | Stale api_mode on provider switch | Config Trap | hermes-agent#3685 (resolved) | clear cached auth, restart |
| 3 | Embedded Postgres fails on WSL2 | Composition Bug | paperclip#1032 (open) | external Postgres + DATABASE_URL |
| 4 | local_trusted exposure | Config Trap | n/a | switch to authenticated mode |
| 5 | Local-backend filesystem access | Config Trap | n/a | docker backend or restrict toolsets |
| 6 | Runaway token cost | Universal LLM | n/a | timeoutSec + maxIterations + billing alert |
| 7 | Context window overflow | Universal LLM | n/a | split into smaller issues |
| 8 | Approval rejection loops | Composition Bug | n/a | reject with a comment, self-block at a cap |
| 9 | Hallucinated citations | Universal LLM | n/a | verify-citation skill + editor pass |
| 10 | Model deprecation | Universal LLM | n/a | provider abstraction, current model |
Three categories, ten modes. The composition bugs are the ones unique to wiring these two tools together, so start there.
The session-ID loop (the one that wastes a day)
The most common first-run failure is an open bug. Straight from the tracker:
#1160: hermes-local adapter: invalid session ID stored in sessionParams causes infinite ‘Session not found’ loop (open). The adapter stores any string the session-ID parser returns without validating its format. When Hermes prints an unexpected token (the reported example was the word
from) that matches the session-ID regex, the adapter persists it and passes--resume fromon the next heartbeat. Hermes answersSession not found: from, the adapter re-stores the bad ID, and runs finish in 2-3 seconds without doing real work.
Source: paperclipai/paperclip#1160, open as of this writing. The detection signal is the tell: heartbeats that complete in two or three seconds while accomplishing nothing. The fix is one field:
"adapterConfig": {
"model": "openrouter/qwen/qwen-2.5-72b-instruct",
"persistSession": false
}
Start every new agent with persistSession: false. Turn persistence on only after the agent runs clean.
The two other cited bugs
Embedded Postgres on WSL2 (paperclip#1032, open). onboard completes, but run fails and the logs show PostgreSQL init errors. Skip the embedded database and point at a real one on port 5432:
docker run -d --name paperclip-postgres \
-e POSTGRES_PASSWORD=paperclip -e POSTGRES_DB=paperclip \
-p 5432:5432 postgres:16
export DATABASE_URL="postgres://postgres:paperclip@localhost:5432/paperclip"
npx paperclipai run
Stale api_mode on a provider switch (hermes-agent#3685, resolved). This one is fixed in current Hermes, so it is here as a class of problem, not an active bug. If a provider switch does not take, the recipe is generic: clear the cached auth (hermes logout <old>), re-authenticate, restart any long-running process, and verify with a fresh hermes chat -q "test". Do not present a resolved bug as a live one; that is how troubleshooting sections lose trust.
The config traps (your mistakes, not bugs)
local_trusted exposure. Paperclip’s default local_trusted mode has no login and assumes loopback only. Expose it on a network and anyone who reaches the machine has full admin. Check your mode before binding anywhere but 127.0.0.1:
npx paperclipai env | grep -i mode
The fix is to switch to authenticated mode the moment client data or network exposure enters the picture. Never bind to 0.0.0.0 in local_trusted.
Unrestricted filesystem access. Hermes’s local terminal backend gives the agent your user’s full filesystem access: SSH keys, browser cookies, git repos. It is fine in isolation and dangerous the moment an agent processes untrusted input. Switch that agent to the docker backend, or restrict it to enabledToolsets: ["file", "web"] so it cannot spawn a shell at all.
The universal LLM failures (manage, don’t fix)
These hit any agent runtime. The big one is runaway cost: an agent loops on an error, retries, and burns tens of dollars on a task that should cost cents. You do not fix this, you bound it:
"adapterConfig": { "timeoutSec": 300, "maxIterations": 50 }
timeoutSec caps wall-clock time per heartbeat; maxIterations caps tool calls. While you investigate a runaway, crank HEARTBEAT_SCHEDULER_INTERVAL_MS up or disable the scheduler entirely. Then set a provider-side billing alert as the last line of defense. The other universal modes follow the same logic: split oversized tasks into smaller issues to dodge context overflow, gate client-facing output behind a human approval and an editor agent to catch hallucinated citations, and use provider abstraction so a deprecated model is a one-line config change, not a rewrite.
What should you actually do?
When something breaks, work the triage checklist in order. Most problems surface in the first three steps:
- Run
npx paperclipai doctorandhermes doctor. They surface config and dependency errors fast. - Read the activity log:
npx paperclipai activity list --company-id <id>. Look for repeating patterns or long gaps. - Check the issue state:
npx paperclipai issue get PC-N. Confirm where it actually is and who owns it. - Search both issue trackers for your exact error message. Someone has probably hit it.
The bottom line
- Three of these failures have issue numbers; one of those three is already resolved. Knowing the status is the difference between fixing a real bug and chasing a ghost.
- Most “AI agents are unreliable” takes are really “I never set a timeout.” Bound cost with
timeoutSecandmaxIterations, and the worst case is a wasted heartbeat, not a wasted paycheck. - Composition bugs get fixed upstream, config traps are on you, and universal LLM failures are the price of the technology. Stay current on versions, restrict by default, and gate anything a human will pay for.
Frequently Asked Questions
What are the most common AI agent failure modes?+
For a Hermes + Paperclip stack they fall in three buckets: composition bugs (the session-ID loop, embedded Postgres on WSL2), config traps (local_trusted exposure, unrestricted filesystem access), and universal LLM problems (runaway cost, context overflow, hallucinated citations, model deprecation).
How do I stop an AI agent from running up huge token costs?+
Bound it. Set timeoutSec and maxIterations in the adapter config, raise HEARTBEAT_SCHEDULER_INTERVAL_MS while you investigate, and set a billing alert on OpenRouter or Anthropic as the last line of defense.
Why does my Hermes agent finish in two seconds without doing anything?+
That is Paperclip issue #1160, an open session-ID loop. An invalid session ID gets stored and replayed as --resume forever. Set persistSession to false on the agent to break it.