I run AI agents on a VPS 24/7. They manage my workflows, process data, and talk to me over Telegram. That VPS is always on, always connected, and always a target.
So every night at 11pm, another agent wakes up and runs a full security audit. If everything passes, it logs "security audit passed" and goes back to sleep. If something fails, it explains the issue and fixes it immediately.
No dashboards to check. No alerts to configure. Just an agent doing the boring work every single night.
The setup
I use Hermes for this, not OpenClaw. Hermes is an open-source AI agent built by Nous Research, running GPT-5.4. It's security-conscious by design and particularly good at agentic crons. Built-in cron scheduler, learning loop, and a paranoid default posture that's exactly what you want for this kind of work.
Why a separate agent? Same reason you don't use your daily driver for security. Separation of concerns. Hermes runs this audit independently on the same VPS. If my main agent goes down, the security checks still run.
The prompt
This is the exact cron prompt. Nothing fancy. Plain language instructions that the agent executes with shell access.
Run a security audit every night at 11pm.
Check:
1. ufw status (firewall active?)
2. fail2ban status (how many IPs banned?)
3. SSH config (password auth disabled?)
4. open ports (anything unexpected listening?)
5. docker containers (any rogue containers?)
6. disk usage (under 80%?)
7. failed login attempts last 24h
If everything passes, say "security audit passed."
If anything fails, explain the issue and fix it immediately.Prompt originally shared by @johann_sath on X.
What happens behind the scenes
When the cron fires, Hermes runs each check as a shell command and evaluates the output. Here's what it actually executes:
| Check | Command | Pass condition |
|---|---|---|
| Firewall | ufw status | Status: active |
| Fail2Ban | fail2ban-client status sshd | Running, reports ban count |
| SSH | sshd -T | passwordauthentication no |
| Open ports | ss -tlnp | Only expected ports (22, 80, 443, etc.) |
| Docker | docker ps | Only known containers running |
| Disk | df -h / | Usage under 80% |
| Failed logins | journalctl -u sshd --since "24h ago" | No successful unauthorized logins |
The agent doesn't just check. If it finds password auth enabled on SSH, it edits the config and restarts sshd. If disk is over 80%, it finds and cleans up the biggest offenders (old logs, docker images, temp files). If there's a rogue container, it stops it and alerts me.
Giving an AI agent permission to fix security issues means trusting it with root access. I'm comfortable with this because (1) the checks are well-scoped, (2) the fixes are standard sysadmin procedures, and (3) I review the logs. If you're not comfortable with auto-fix, change the prompt to "explain the issue and suggest a fix" instead.
Why Hermes
Hermes is open-source, runs on any model (OpenRouter, OpenAI, local), and has a built-in cron scheduler that delivers results to Telegram, Discord, or Slack. The relevant features for this use case:
- Cron scheduling in natural language. No crontab syntax. Just "every night at 11pm."
- Shell access with command approval controls. You decide what it can run without asking.
- Platform delivery. Results go straight to Telegram. I see a message every morning: either "passed" or a detailed report of what it found and fixed.
- Skill memory. If it learns a new pattern (e.g., a specific log rotation command for your setup), it remembers it for next time.
You could do this with OpenClaw, cron + a bash script, or any agent framework with shell access. Hermes just happens to be what I use for this job because it runs independently from my main agent stack.
Setting it up yourself
1. Install Hermes
curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash
source ~/.bashrc
hermes setup2. Configure your model
hermes modelI run it on GPT-5.4 via OpenRouter. For security audits you want a model that's thorough and follows instructions precisely. 5.4 is good at this.
3. Set up the cron
Open Hermes and paste the prompt from above. Tell it to run as a cron. It handles the scheduling natively.
4. Connect Telegram (optional)
hermes gatewayFollow the setup to connect a Telegram bot. Now your audit results land in your DMs every morning.
Before running this, make sure your VPS has the basics: UFW installed and enabled, fail2ban configured, SSH key-only auth, and unattended-upgrades for automatic security patches. The audit checks these are still in place. It doesn't set them up from scratch.
What I've caught
In the months I've been running this:
- Disk hit 83% from accumulated Docker build layers. Agent cleaned up dangling images and old build cache.
- A test container I forgot about was still running, exposing a debug port. Agent stopped it.
- fail2ban had banned 47 IPs in one 24-hour period after a brute-force wave. No breaches, but good to know the volume.
None of these were emergencies. All of them were things I wouldn't have noticed until they became emergencies.
The pattern
This isn't really about security. It's about using AI agents for the maintenance work that humans forget, skip, or procrastinate on. Security audits. Log rotation. Certificate renewal checks. Dependency updates. Backup verification.
The work that's important but never urgent, until it is.
Set up an agent. Give it the checklist. Let it run every night. Read the results over coffee.
Built by Alex Yao. I teach professionals how to build AI agent systems that do real work. Join Agent-J+ if you want to learn how.