Kronos Agent OS: an operational layer for AI agents, open source

A self-hosted Python runtime for AI agents with memory, skills, automations, multi-agent coordination, and a dashboard. Compared against Hermes Agent and OpenClaw.

---

Why yet another agent framework

Agent frameworks are everywhere: OpenClaw (~347K stars), Hermes Agent (100K+), LangGraph, CrewAI, AutoGen. Most of them optimize the conversation — prompts, tool calling, retrieval. That matters, but it only covers part of the problem.

When an agent runs for weeks instead of minutes, the requirements change: inspectable state, tool call auditing, scheduled tasks, security controls, multi-agent coordination. Existing frameworks punt these problems to the developer.

KAOS (Kronos Agent OS) is an operational layer around the agent: memory, skills, tools with auditing, automations, multi-agent coordination, a dashboard, and capability gates — all included.

---

What KAOS is

KAOS is a self-hosted Python runtime for long-running AI agents. “Long-running” means the agent persists state across sessions, runs scheduled tasks, keeps inspectable memory, and is managed through a local dashboard — no cloud service needed.

pip install kronos-agent-os
kaos demo

The demo works offline. No API keys required.

Mental model:

Пользователь / Cron / Коннектор → KAOS Runtime
                                     ├── Память (сессии, FTS5, векторы, граф знаний)
                                     ├── Навыки (workspace-процедуры)
                                     ├── Tool Gateway (MCP, кастомные, браузер, динамические)
                                     ├── Автоматизации (12+ задач по расписанию)
                                     ├── Координация суб-агентов (опциональный swarm)
                                     └── Dashboard Control Room

KAOS is not a framework for building agents. It is an operating system for running them.

---

The field: Hermes, OpenClaw, and everyone else

Hermes Agent (Nous Research)

100,000+ GitHub stars, 140+ contributors. The standout feature: a learning loop where the agent creates skills from experience, refines them on use, and builds a user model across sessions. Self-assessment checkpoint fires every 15 tool invocations.

Strengths:

• Self-improving skills with progressive disclosure — the library grows, token costs stay flat
• Dialectical user modeling (Honcho)
• 6 backends: local, Docker, SSH, Daytona, Singularity, Modal (serverless persistence)
• Built-in migration from OpenClaw
• Any LLM provider, no lock-in

Weaknesses:

• Memory is flat Markdown files with a hard character limit. Exceed the limit — get an error, clean up by hand. No semantic search, no relationship graph, no auto-cleanup of stale facts. Structured memory with typed nodes and graph edges is only planned (GitHub Issue #346, March 2026)
• One memory provider at a time. Cannot combine Qdrant + FTS5 + flat files
• No multi-agent ledger. Sub-agents run in parallel but without coordination: no arbitration, no shared state, no anti-flood
• No scheduled automations. Hermes waits for you to speak. No news digests, no overnight memory consolidation, no weekly analytics
• No dashboard or audit trail. It learns — but what it did stays invisible
• Security is implicit. No capability gates, no tool call editing, no cost guardian

OpenClaw

~347,000 stars — one of the fastest-growing open source projects in GitHub history. TypeScript/Node.js. Gateway-first architecture. 50+ messenger integrations.

Strengths:

• Unmatched integration count: WhatsApp, Telegram, Discord, Slack, Signal, iMessage, Matrix, Teams, and 40+ more
• Markdown-file workspace (SOUL.md, MEMORY.md, TOOLS.md) — human-readable and editable
• Canvas — a live UI controlled by the agent
• ClawHub — a skills marketplace
• openclaw onboard — step-by-step onboarding from the terminal

Weaknesses:

• 9 CVEs in 4 days in March 2026. Including CVE-2026-25253 (CVSS 8.8) — insecure WebSocket, auth token leaks
• Supply chain attack on ClawHub: of 2,857 skills, 341 turned out to be malicious (Koi Security audit). The skills marketplace became an attack vector, not an advantage
• Multi-agent is non-deterministic. The LLM decides when to launch a reviewer, when to retry. sessions_spawn creates child agents via LLM session — flow control is unpredictable
• Memory is flat files. No FTS5, no semantic search, no graph. Works for simple cases; falls apart when an agent needs to remember thousands of facts over months
• Skills are static. The agent does not learn — skills work the same on day 1 and day 100
• Unstable updates. Reddit threads regularly mention breaking changes between versions

---

KAOS architecture: technical breakdown

1. Custom ReAct engine (no LangGraph)

KAOS runs a custom ReAct loop (engine.py) built directly on langchain_core messages and tools. No LangGraph. No framework dependency beyond the message protocol.

result = await react_loop(
    model=model,
    messages=history,
    tools=tools,
    system_prompt=system_prompt,
    max_turns=25,
)

LangGraph works well for prototyping. But when you need control over tool call execution, error propagation, and loop termination — you want a loop you can read in 200 lines, not a graph abstraction.

The engine gives you:

• Async tool execution with timeouts (120 seconds by default)
• Error classification and recovery
• Callbacks for audit trail on every tool call
• Graceful termination on iteration exhaustion

2. Five-layer memory

This is where KAOS breaks from the competition.

Layer	Storage	Purpose	Search
Sessions	SQLite per thread	Recent conversation history	Sequential
Extracted facts	FTS5 (SQLite)	Exact recall — names, IDs, dates, URLs, decisions	Full-text
Vector memory	Mem0 + Qdrant (local)	Semantic recall — concepts, topics, similar context	Vector similarity
Knowledge graph	SQLite	Entities and relationships — people, companies, projects	Graph traversal
Shared facts	Swarm SQLite (FTS5)	Cross-agent user profile	Full-text

Hermes has 4 layers (session, persistent, skill, user model), but all backed by flat files with a character limit. No semantic search, no graph. OpenClaw has Markdown files without structured search.

KAOS memory lifecycle:

1. Retrieve — before each LLM call, FTS5 + Mem0 + knowledge graph results inject as transient context
2. Store — after the response, facts extract in the background (DeepSeek lite, ~$0.001/turn)
3. Consolidate — nightly sleep-compute deduplicates facts, extracts entities into the knowledge graph, generates actionable insights, cleans up stale data
4. Share — facts from user messages mirror into shared_user_facts so all agents in the swarm see the same profile

Sleep-compute draws from biological memory: short-term memories (sessions) consolidate into long-term structures (knowledge graph) during “sleep” (nightly cron).

3. Skills: Progressive Disclosure

Both Hermes and KAOS support skills, but the philosophy differs.

Hermes creates skills automatically from successful executions. The learning loop improves them. A strong approach for repetitive personal workflows.

KAOS uses workspace-local procedures with progressive disclosure:

Level	Content	Token cost
L1 Catalog	Name + one-line description	Always in the prompt (~50 tokens/skill)
L2 Protocol	Full SKILL.md with steps and rules	Loaded via load_skill() on demand
L3 References	Supporting files, examples, fixtures	Loaded via load_skill_reference() on request

An agent with 20 skills pays ~1,000 tokens in the base prompt (catalog), not 20,000. The full protocol loads only when the agent decides it matters.

KAOS ships with 5 skill packs (research, productivity, ops, content, finance-lite) and 5 agent templates (Personal Operator, Research Agent, Ops Assistant, Founder Strategy, Analyst Reporter).

kaos templates list
kaos templates install personal-operator my-agent --force
kaos skills packs
kaos skills install-pack productivity --agent my-agent --force

4. Tool Gateway: MCP with auditing

All three frameworks support tools. KAOS adds an auditing and security layer on top.

Every tool call generates two events in tool_calls.jsonl:

• tool_call — tool name, redacted arguments, session context
• tool_result — success/error, redacted result, latency

Secret values (token, secret, password, api_key, bearer tokens, sk-* keys) are redacted automatically before writing.

Capability gates control what the agent can do:

ENABLE_DYNAMIC_TOOLS=false          # Может ли агент создавать Python-инструменты?
REQUIRE_DYNAMIC_TOOL_SANDBOX=true   # Обязателен ли Docker для динамических инструментов?
ENABLE_MCP_GATEWAY_MANAGEMENT=false # Может ли агент добавлять/удалять MCP-серверы?
ENABLE_DYNAMIC_MCP_SERVERS=false    # Загружать ли сохранённые динамические MCP-серверы?
ENABLE_SERVER_OPS=false             # Может ли агент подключаться к серверам по SSH?

A fresh install ships locked down by default. That’s intentional. An agent that can create arbitrary Python tools and SSH into production servers should require explicit opt-in, not implicit trust.

Context: OpenClaw racked up 9 CVEs in 4 days and 341 malicious skills landed on ClawHub. When the community grows faster than security — users pay the price.

5. Five-layer security

Layer	What it does	How
L1: Input Shield	Blocks prompt injection before the LLM	28 regex patterns (EN + RU), rate limiter (10 requests/min)
L2: Sanitizer	Neutralizes injections in external content	Unicode homoglyph folding, hidden HTML elements, boundary markers
L3: Loop Detector	Prevents infinite tool loops	3 detectors (repeat, ping-pong, poll), 3-step escalation (WARNING → CRITICAL → CIRCUIT_BREAKER at 30 calls)
L4: Output Validator	Redacts secrets from responses	API key patterns, connection strings, system paths, prompt leaks
L5: Cost Guardian	Prevents runaway spending	$5/day, $1/session, warning at 80%

Neither Hermes nor OpenClaw ship with this depth of protection. KAOS was built to run 24/7 on a VPS without babysitting.

6. Automations: the agent works while you sleep

This is what makes KAOS an “Agent OS” rather than a chat wrapper.

Task	Schedule	What it does
heartbeat	Every 30 min	Checks tasks in workspace and Notion, notifies only if actionable
news-monitor	Daily 08:30	Scans watchlist via Brave Search, sends HTML digest
group-digest	Daily 09:00	Collects messages from Telegram groups, ranks by engagement, digest
sleep-compute	Daily 11:00	Overnight memory consolidation: deduplication, entity extraction, insights
self-improve	Daily 22:00	Analyzes the last 24h of interactions, proposes ONE specific improvement
expense-digest	Weekly	Summarizes expenses from Notion: categories, trends, recommendations
skill-improve	Weekly	Auto-improves skills based on usage patterns
user-model	Weekly	Dialectical user modeling: hypothesis validation and updates
market-review	Weekly	Aggregates news by tickers, sentiment analysis
people-scout	Weekly	LinkedIn discovery: rotating focus (US founders → EU → AI engineers → Indie)
email-expenses	Daily 08:00	Auto-extracts expenses from Gmail receipts via MCP
swarm-retention	Weekly	Cleans up stale messages in the swarm ledger (90 days)

The scheduler is pure asyncio — no external dependencies. Tasks run in the main event loop alongside the Telegram bridge and dashboard. State survives restarts.

Hermes has no scheduler. OpenClaw offers basic cron support via HEARTBEAT.md, but nothing close to this set of pre-built pipelines.

7. Swarm Mode: multi-agent coordination without pub/sub

KAOS runs 6 independent agent processes, each with its own Telegram account, persona, workspace, and memory — coordinated through a single shared SQLite file.

All agents see every message in the group. Each decides independently whether to respond using a 3-tier routing system:

Tier	Trigger	Delay	Bypasses arbitration?
Tier 1	Explicit @mention or reply to my message	1-5 sec	Yes — always responds
Tier 2	Topic relevance >= 7/10 (LLM check)	5-20 sec	No — subject to cap
Tier 3	Peer reaction (meaningful disagreement)	15-45 sec	No — cap + cooldown

Anti-flood:

• Hard cap: at most 2 implicit replies per user message across all agents
• Tier 3: 5-minute cooldown per agent, “PASS” protocol for silent decline
• Re-check after delay (another agent may have responded while we waited)

Arbitration via SQLite IMMEDIATE transactions:

# Агент вставляет claim перед ответом
swarm.claim_reply(agent_name="kronos", tier=2, eta_ts=time.time() + 12)

# Перед отправкой — атомарная проверка:
outcome = swarm.can_send_claim(agent_name="kronos", tier=2)
# Правило победителя: tier ASC, eta_ts ASC, agent_name ASC

Simpler and more debuggable than pub/sub or consensus protocols. One SQLite file, six concurrent writers, WAL mode, IMMEDIATE transactions. All coordination state is inspectable via sqlite3 data/swarm.db.

OpenClaw multi-agent is LLM-orchestrated: the model decides when to launch a reviewer, when to retry. Flow control is non-deterministic. Hermes sub-agents run in isolation — parallel, but without a shared ledger.

Peer reactions in KAOS are ephemeral by design:

• Peer text passes via transient extra_system_context (not persisted to history)
• No writes to Mem0 — peer reactions do not pollute long-term memory
• If the agent has nothing substantive to add — “PASS” — the claim gets cancelled silently

This kills the “parrot bug” where agents echo each other’s text because it leaked into the session history.

8. Dashboard Control Room

The dashboard is the operator surface of KAOS. Not a chat UI — a control room.

View	What it shows
Overview	Health, uptime, agent activity, anomalies
Memory Explorer	Facts with search, shared facts, knowledge graph entities, sessions — with deletion and reset
Audit Trail	Every tool call: arguments, results, latency, status
Jobs	Cron schedule, recent runs, errors
Swarm	Arbitration history, claim outcomes, per-agent metrics
Skills	Workspace skills with toggles
MCP Servers	Static and managed servers
Settings	Capability gates, provider status, configuration

When a capability is blocked by policy, the dashboard shows the gate name and the environment variable to enable it — instead of hiding the feature silently.

9. LLM routing: cost savings by default

KAOS uses a two-tier strategy:

Tier	Used for	Default provider
Lite	Relevance checks, parsing, bulk operations, fact extraction	DeepSeek V3
Standard	Orchestration, analysis, complex reasoning, tool calling	Kimi K2.5

KAOS is not locked to any models. Configure OpenAI, OpenRouter, Groq, Together, LiteLLM, Ollama, or any OpenAI-compatible endpoint in .env. No code changes.

---

Comparison matrix

Feature	KAOS	Hermes Agent	OpenClaw
GitHub stars	New (v0.1.0)	~100,000	~347,000
Language	Python	Python + TS (TUI)	TypeScript/Node.js
License	MIT	MIT	MIT
Self-hosted	Yes (core design)	Yes	Yes
Memory layers	5 (sessions, FTS5, vectors, graph, shared)	4 (flat files with char limit)	Markdown files
Knowledge graph	Yes (SQLite, entities + relationships)	No (planned)	No
Sleep-time consolidation	Yes (nightly pipeline)	No	No
Skills	Progressive disclosure (L1/L2/L3)	Auto-created learning loop	SOUL.md + static skills
Skill auto-improvement	Yes (weekly cron)	Yes (built-in loop)	No
User modeling	Yes (dialectical, weekly)	Yes (Honcho)	Basic preferences
Tool audit trail	Yes (redacted, persistent)	No	No
Capability gates	5 env-based gates	No	No
Security layers	5 (shield, sanitize, loop, output, cost)	Basic	9 CVEs in 4 days (March 2026)
Cost guardian	Yes ($5/day, $1/session)	No	No
Automations	12 base + 6 agent-specific	No	Basic HEARTBEAT.md
Dashboard	Control Room (8 views)	No	Basic web UI
Multi-agent	6-agent swarm, SQLite arbitration	Isolated sub-agents	LLM-orchestrated (non-deterministic)
Messengers	Telegram, Discord, CLI, webhook	6+ channels	50+ channels
Offline demo	Yes (kaos demo)	No	No

---

Who KAOS is for

Good fit if you:

• Want to own the agent runtime, not rent it from a cloud service
• Need inspectable state — memory, tool calls, decisions — not a black box
• Need scheduled automations — digests, monitoring, analytics, self-improvement — running without human input
• Need multi-agent coordination for tasks that benefit from multiple perspectives
• Care about secure defaults — capability gates, tool auditing, cost controls
• Prefer Python and the LangChain/Mem0/Qdrant stack

Not a good fit if you:

• Need 50+ messenger integrations out of the box (use OpenClaw)
• Want a learning loop that creates skills from scratch (use Hermes)
• Need the largest community (OpenClaw by stars, Hermes by quality contributors)
• Want a hosted solution with zero ops (KAOS is self-hosted by design)

---

Quick start

30-second demo

pip install kronos-agent-os
kaos demo

No API keys. No Docker. No configuration.

Full installation

git clone https://github.com/spyrae/kronos-agent-os.git
cd kronos-agent-os
python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

kaos doctor                    # валидация setup
kaos init personal-operator    # создать первого агента
# отредактируй .env: добавь FIREWORKS_API_KEY или DEEPSEEK_API_KEY
kaos chat                      # начать диалог

Dashboard

kaos demo-seed --reset
kaos dashboard
# Открой http://127.0.0.1:8789

Templates and skills

kaos templates list            # 5 шаблонов агентов
kaos skills packs              # 5 паков навыков
kaos skills install-pack productivity --agent my-agent --force

---

Building AI agents and want to keep control of the runtime? I help startups and engineering teams design agent systems — belov.works

pip install kronos-agent-os
kaos demo

GitHub: github.com/spyrae/kronos-agent-os License: MIT Python: 3.11+