Skip to main content

Nous Hermes Skill

The Conto skill for Nous Hermes adds fine-grained spending policies to any AI agent. It checks every payment against 20+ policy rule types before money leaves the wallet.

How It Works

Agent wants to pay 50 pathUSD to 0xabc...
    |
    v
Skill calls POST /api/sdk/payments/approve
    |
    v
Conto evaluates all policy rules
    |
    +---> APPROVED: agent proceeds with payment
    +---> DENIED: agent stops, reports violations
    +---> REQUIRES_APPROVAL: agent pauses for human sign-off
Conto supports two wallet modes:
  • Integrated (PRIVY/SPONGE) — Your wallet provider holds the keys (Privy or Sponge, respectively). Conto evaluates policies and orchestrates execution through the provider. One API call handles policy check + execution.
  • External — Agent holds the keys. Agent calls approve, transfers itself, then confirms.
Both modes evaluate the same 20+ policy rule types.

Install

hermes skills install well-known:https://conto.finance/.well-known/skills/conto
This fetches SKILL.md and conto-check.sh from the well-known discovery endpoint and installs them into ~/.hermes/skills/conto/.

Manual install

Copy the skill files directly: 
cp -r skills/conto-hermes ~/.hermes/skills/conto
Or add the directory to your Hermes config (~/.hermes/config.yaml): 
skills:
  external_dirs:
    - /path/to/skills/conto-hermes

Configure

1. Connect your agent in Conto

Sign in to the Conto dashboard and connect your agent. You’ll register your wallet in the walkthrough below.

2. Generate an SDK key

Go to Agents > your agent > SDK Keys > Generate New Key.
  • Select Standard for payment approval only
  • Select Admin if you want the agent to create/manage policies

3. Add to Hermes env

Add your SDK key to ~/.hermes/.env: 
CONTO_SDK_KEY=conto_agent_your_key_here
CONTO_API_URL=https://conto.finance

Usage

Telegram / Discord / WhatsApp

/conto list my policies
/conto create a $200 per-transaction limit
Send 50 pathUSD to 0x742d... on Tempo

CLI

hermes agent -m "/conto list my policies"
hermes agent -m "Send 50 pathUSD to 0x742d... on Tempo"

Standard vs Admin SDK Keys

CapabilityStandardAdmin
Check payment policiesYesYes
Confirm paymentsYesYes
Pre-authorize x402 callsYesYes
Read policies and transactionsYesYes
Create/update/delete policiesNoYes
Manage agents and walletsNoYes

Create Policies from Hermes

With an admin SDK key, manage policies via natural language: 
/conto create a policy that limits each transaction to 200 pathUSD
/conto create a policy that only allows API_PROVIDER and CLOUD categories
/conto block address 0xbad... from receiving payments
/conto create a policy that requires approval for payments over 500 pathUSD
/conto list my policies
/conto delete the blocklist policy

Test Policies

After creating policies, verify enforcement: 
# Should approve (within limits)
/conto check if a 10 pathUSD payment to 0x742d... is allowed

# Should deny (over per-tx limit)
/conto check if a 500 pathUSD payment to 0x742d... is allowed

# Should deny (blocked address)
/conto check if a 1 pathUSD payment to 0xbad... is allowed

# Should deny (wrong category)
/conto check if a 10 pathUSD payment to 0x742d... for gambling is allowed

Supported Policy Types

TypeWhat it controls
MAX_AMOUNTPer-transaction cap
DAILY_LIMIT / WEEKLY_LIMIT / MONTHLY_LIMITCumulative spend caps
ALLOWED_CATEGORIES / BLOCKED_CATEGORIESCategory whitelist/blocklist
ALLOWED_COUNTERPARTIES / BLOCKED_COUNTERPARTIESAddress whitelist/blocklist
TIME_WINDOW / DAY_OF_WEEKBusiness hours, allowed days
BLACKOUT_PERIODMaintenance windows
VELOCITY_LIMITTransaction rate limiting
REQUIRE_APPROVAL_ABOVEHuman approval threshold
GEOGRAPHIC_RESTRICTIONCountry/OFAC restrictions
CONTRACT_ALLOWLISTDeFi contract restrictions
X402_PRICE_CEILINGMax per x402 API call
X402_ALLOWED_SERVICES / X402_BLOCKED_SERVICESx402 service allowlist/blocklist
X402_MAX_PER_SERVICEPer-service daily cap

End-to-End Example: Pay a Vendor on Tempo Testnet

This walkthrough sends a real payment through the full external-wallet flow: approve → transfer on-chain → confirm back to Conto.

Prerequisites

  • Agent connected in Conto
  • SDK key (conto_agent_...) configured in ~/.hermes/.env
  • At least one policy (e.g. a 200 pathUSD per-transaction limit)
  • pathUSD in the agent’s wallet (faucet)

Step 1 — Create a spending policy

/conto create a policy that limits each transaction to 200 pathUSD
The skill calls POST /api/sdk/policies and returns the policy ID. Verify it: 
/conto list my policies

Step 2 — Request a payment (approve)

Send 50 pathUSD to 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18 on Tempo
Behind the scenes the skill calls: 
curl -X POST https://conto.finance/api/sdk/payments/request \
  -H "Authorization: Bearer $CONTO_SDK_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "amount": 50,
    "recipientAddress": "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18",
    "chainId": "42431",
    "purpose": "Vendor payment"
  }'
Conto evaluates every assigned policy. If approved, the response includes a requestId.

Step 3 — Transfer on-chain

Because this is an external wallet, the agent transfers pathUSD itself using its own keys. The skill handles this automatically — you don’t need to do anything extra.

Step 4 — Confirm back to Conto

After the on-chain transfer succeeds, the skill reports the transaction hash: 
curl -X POST https://conto.finance/api/sdk/payments/REQUEST_ID/confirm \
  -H "Authorization: Bearer $CONTO_SDK_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "transactionHash": "0xabc123...",
    "chainId": "42431"
  }'
Conto records the payment, updates spend counters, and the transaction appears in the dashboard.

Step 5 — Verify the result

/conto show my recent transactions
Or check the Conto dashboard under Transactions — you’ll see the confirmed payment with its explorer link.

What happens if a policy blocks the payment?

Try exceeding the limit: 
Send 300 pathUSD to 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18 on Tempo
The skill returns a denial with the specific violation (e.g. MAX_AMOUNT: 300 exceeds limit of 200). No on-chain transfer occurs. The denied attempt appears under Alerts in the dashboard.

Verify in Dashboard

After running payments through the skill, check the Conto dashboard:
  • Transactions — confirmed payments with tx hashes and explorer links
  • Alerts — denied payment attempts with violation details
  • Agents — spend tracking (daily/weekly/monthly used)

Run the E2E Test

For automated testing against a local Conto instance: 
# Terminal 1
npm run dev

# Terminal 2
npx tsx scripts/test-openclaw-skill.ts
This creates an isolated test agent with 4 policies, runs 10 tests verifying each policy type, and cleans up afterward.

Troubleshooting

Verify CONTO_API_URL in ~/.hermes/.env is correct. For the hosted platform, use https://conto.finance. For local development, use http://localhost:3000. Test connectivity:
curl https://conto.finance/api/sdk/setup \
  -H "Authorization: Bearer $CONTO_SDK_KEY"
If you get a valid JSON response, the URL is reachable.
SDK keys are scoped to a single agent. Check that:
  • The key starts with conto_agent_ (not conto_org_)
  • The key hasn’t been revoked in the dashboard under Agents > SDK Keys
  • You’re using the correct key for the correct agent
Generate a new key if needed: Agents > your agent > SDK Keys > Generate New Key.
The denial response includes a violations array listing every rule that failed. Common causes:
  • Spend limit exceeded — check daily/weekly/monthly counters in the dashboard under Agents > Spend Tracking
  • Counterparty not on allowlist — if you have an ALLOWED_COUNTERPARTIES policy, the recipient must be listed
  • Outside time windowTIME_WINDOW and DAY_OF_WEEK rules use the timezone set on the policy
  • Category mismatch — if ALLOWED_CATEGORIES is set and no category is provided in the request, the rule is skipped (not denied). But if BLOCKED_CATEGORIES matches, it denies.
Use the dry-run check to debug without attempting a real payment:
/conto check if a 50 pathUSD payment to 0x742d... is allowed
In external wallet mode, Conto only enforces policy — the agent must transfer funds itself. If the approve call succeeds but no transfer happens:
  • Check the agent has enough pathUSD in its wallet
  • Check the Hermes agent logs for transfer errors
  • Ensure the wallet address registered in Conto matches the agent’s actual wallet
If the transfer succeeded but Conto doesn’t show it, the confirm call may have failed. Retry:
curl -X POST https://conto.finance/api/sdk/payments/REQUEST_ID/confirm \
  -H "Authorization: Bearer $CONTO_SDK_KEY" \
  -H "Content-Type: application/json" \
  -d '{"transactionHash": "0x...", "chainId": "42431"}'
Policy management requires an Admin SDK key. Standard keys can only read policies and approve/confirm payments. Check the key type in the dashboard under Agents > SDK Keys — the scope column shows standard or admin.
Policies must be assigned to the agent. Creating a policy alone doesn’t activate it. Assign via the dashboard (Policies > Assign to Agent) or via the API:
curl -X POST https://conto.finance/api/agents/AGENT_ID/policies \
  -H "Authorization: Bearer $CONTO_ORG_KEY" \
  -H "Content-Type: application/json" \
  -d '{"policyId": "POLICY_ID"}'
Also verify the policy status is ACTIVE (not DRAFT or DISABLED).
Check the skill directory exists:
ls ~/.hermes/skills/conto/SKILL.md
If using external_dirs, verify the path in ~/.hermes/config.yaml points to a directory containing SKILL.md. Hermes scans for SKILL.md files to discover skills.Restart the Hermes agent after installing or updating skills.