Build a Free DeFi Security Monitor With Hermes on a $5 VPS
Skip the sketchy paid skill packs sold for USDT over Telegram. Build a free, read-only DeFi security monitor with Hermes Agent and EVMScope instead.

- A popular paid Hermes skill pack for DeFi security scanning is sold via direct USDT transfer or a Telegram bot, with no visible source before payment.
- EVMScope is a free, open-source, read-only MCP server that covers the same honeypot detection and approval-status checks across 7 EVM chains.
- Combined with Hermes's built-in cron scheduler and a Telegram alert channel, it runs as a real DeFi security monitor for about $5/month, entirely read-only.
A DeFi security monitor is only as trustworthy as the actual code behind it, which is exactly the problem with most of the ones currently for sale in the Hermes Agent skill ecosystem right now. Before we build a real one, it's worth looking at why the popular paid option is one we won't be recommending.
This guide covers both. First, how to spot a skill you shouldn't pay for, using a real example we dug into ourselves. Then a working build: Hermes Agent, a free and open-source onchain toolkit, and a $5 VPS, wired together into a monitor that actually earns its keep.
Everything below is read-only. No wallet key, no signing, no fund custody risk anywhere in this build. That's not a limitation, it's the point.
What we found: a widely-linked "premium" DeFi security scanner in the Hermes skill ecosystem is sold by sending USDT directly to a wallet address or through a Telegram bot, with no visible source code for the paid product before you pay. That combination is worth knowing how to recognize on its own.
The Third-Party Shortcut We Don't Recommend
Search "Hermes DeFi security scanner" and you'll likely land on a listing called skill-packs, three products from a single contributor: a cross-exchange arbitrage monitor, a DeFi security scanner with honeypot and rug-pull detection, and a cross-chain tracker. Individually $29 to $49, or $99 bundled.
The pitch is reasonable. The delivery mechanism isn't.
| What we checked | What we found |
|---|---|
| Source code visible before paying | No, only a free install script for one tier is public |
| Payment method | Send USDT to a wallet address (TRC-20 or ERC-20), or a Telegram bot |
| Refund path | None visible |
| Maintainer track record | Single contributor, beta status, no other established projects found |
| Delivery channel | Telegram bot |
None of that proves it's a scam outright. It proves you'd be paying for a security tool without being able to read what it does first, over a payment rail that can't be reversed, from someone with no track record you can verify. That's the actual risk, whether or not the code turns out to be fine.
There's a specific irony worth sitting with. A DeFi security monitor exists to catch exactly this pattern: an unverified counterparty, an irreversible transfer, a promise you can't check before you commit to it. Buying one that asks you to accept the same risk it's supposed to protect you from is worth pausing on.
To be clear, we haven't purchased the paid tiers ourselves, and we're not claiming the code is malicious. We simply can't verify it, and "we can't verify it" is reason enough to point you at something we can.

What to Check Before Paying for Any Agent Skill
Hermes itself already has a framework for this. Skills installed from its official hub go through a security scanner and carry a trust level: official (ships with Hermes), trusted (major orgs like OpenAI or Anthropic's public skill repos), or community (everything else, findings can be overridden with --force, except anything flagged outright dangerous).
That system exists because Hermes can install skills from a lot of places: its own official hub, Vercel's skills.sh directory, GitHub repos from major labs, custom user-curated taps, or a single raw SKILL.md URL from anywhere on the internet. The trust tier is Hermes telling you how much scrutiny that source has already been through before it reaches your agent. A community skill isn't necessarily bad, most useful, niche tools start there, but it hasn't earned the same benefit of the doubt as something shipped in the official repo.
Use the same instinct for anything you're about to pay for, official trust tiers or not:
- Can you read the code before you pay? If not, you're trusting a stranger's description of their own product.
- Is the payment reversible? A card chargeback exists for a reason. A wallet-to-wallet USDT transfer doesn't have one.
- Does the seller have anything else to lose? A maintained GitHub history, a real handle, a reputation. An anonymous beta repo with one product has nothing on the line if it disappears tomorrow.
- Does a free alternative already exist? For DeFi security scanning specifically, it does, and it's what we're building next.
Why Onchain Security Monitoring Actually Matters Here
Most wallet losses in DeFi aren't from a private key leaking. They're from an old token approval nobody remembered to revoke, sitting there for months until a contract gets exploited and drains everyone who ever approved it.
A DeFi security monitor doesn't prevent that exploit from happening. It just makes sure you're not the last to know your wallet is exposed. Catching a risky approval on day one instead of month six is the entire value proposition, and it's a genuinely solvable problem with free, read-only tools.
The same logic applies to new tokens. A honeypot doesn't announce itself, it looks like a normal token until you try to sell and discover the contract blocks it. Checking a token before you buy takes one tool call. Checking it after you're already holding it is a lesson, not a monitor.
Build a Real DeFi Security Monitor Instead
The free alternative here is EVMScope, an open-source MCP server with 26 tools across Ethereum, Base, Polygon, Arbitrum, Optimism, Avalanche, and BSC. No API keys. No private key. Read-only by design, so there's no transaction execution and zero risk of fund loss even if something goes wrong.
Two of its tools do exactly what the paid scanner promises: checkHoneypot flags scam tokens using Honeypot.is data (buy/sell tax, risk level), and getApprovalStatus checks a wallet's ERC-20 allowances against known DeFi protocols with a risk assessment attached.
A few of its other 26 tools are worth building into the same monitor once the basic version is running. getWhaleMovements flags unusually large transfers involving a token or wallet you care about. getContractEvents watches a specific contract for activity instead of a wallet. simulateTx can preview what a transaction would actually do before anyone signs it, useful for double-checking a suspicious approval request before it goes anywhere near a wallet.
None of these need a paid tier. They're part of the same free, zero-config package as the two security tools above.

Step 1: Get a VPS and Install Hermes
A $5/month VPS (1 vCPU, 1 GB RAM) is enough, since neither Hermes nor EVMScope needs heavy local compute when the LLM runs over an API. Any mainstream provider works here, this isn't a specialized workload, and there's nothing crypto-specific about the hosting itself.
If you already have Hermes running from a previous project, you don't need a second server. Add EVMScope to that same instance's config and it runs alongside whatever else you've already got set up.
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
source ~/.bashrc
hermes setup
hermes model
Step 2: Add EVMScope as an MCP Tool
Open ~/.hermes/config.yaml and add it as a local MCP server:
mcp_servers:
evmscope:
command: "npx"
args: ["-y", "evmscope"]
Reload without restarting the whole agent:
/reload-mcp
No config beyond that. No API keys to generate, no account to create.
Step 3: Wire Up a Telegram Alert Channel
Telegram bots provision in minutes and are the fastest way to actually see an alert land on your phone. Set up the gateway through Hermes's messaging settings, then point a scheduled job at it.

Step 4: Schedule the Actual Monitoring
Hermes has a built-in cron scheduler. Create a recurring job from chat:
/cron add every 2h "Check approval status for wallet 0xYourWallet using EVMScope's getApprovalStatus tool. If any approval shows medium or high risk, alert me on Telegram with the token, spender, and risk level. Also run checkHoneypot on any new token that shows up in the wallet's recent transfers."
Or from the CLI directly:
hermes cron create --schedule "every 2h" --prompt "Check approval status for wallet 0xYourWallet using EVMScope. Alert on Telegram for medium or high risk findings."
Manage it afterward with hermes cron list, hermes cron status, or edit the schedule with /cron edit <job_id> --schedule "every 30m" once you've decided how tight you want the check interval.
Step 5: Test It Before You Trust It
Point the first run at a wallet you know has an old, risky approval sitting on it (most active DeFi wallets have at least one), and confirm the alert actually reaches Telegram with the right details before relying on it for anything real. A monitor you haven't seen fire once isn't a monitor yet, it's a guess.
Step 6: Layer On Whale and Contract Watching
Once the approval check is running reliably, add a second cron job for the other tools:
/cron add every 6h "Run getWhaleMovements on [token address] and getContractEvents on [contract address]. Alert on Telegram only if a single transfer exceeds $500,000 or an unusual event fires on the contract."
Keep each job scoped to one thing. A single cron job trying to watch approvals, whales, and honeypots all at once is harder to debug when something eventually misfires, and something eventually will.

What This Setup Costs vs. the Paid Option
| Third-party skill pack | This build | |
|---|---|---|
| Price | $49 (scanner alone) to $99 (bundle) | $0 in software |
| Hosting | Not specified | ~$5/month VPS |
| Source visible before use | No | Yes, EVMScope is open source |
| Fund custody risk | Unknown | None, read-only tools |
| Payment method | USDT to a wallet, or Telegram bot | N/A |
Same $5 VPS either way. The difference is entirely in what you're trusting to run on it.
That comparison isn't meant to dunk on every paid crypto tool that exists. Plenty of legitimate paid infrastructure runs on crypto-native businesses, most of it with visible source, a real company behind it, and a payment processor that isn't a bare wallet address. The specific combination here, unaudited code plus irreversible payment plus no accountable seller, is what makes this one worth passing on, not the price tag by itself.
Common Mistakes to Avoid
- Setting the check interval too aggressive for free RPC limits.
every 2his plenty for approval monitoring. Cranking it toevery 5mon public endpoints risks getting rate-limited. - Monitoring a wallet you don't actually use. Point this at wallets that hold real value or sign real approvals. A monitor on an empty test wallet just confirms the plumbing works.
- Forgetting this is read-only. EVMScope can't revoke a bad approval for you. It can only tell you one exists. Revoking still means a manual transaction on your end.
- Trusting a paid skill because it's popular in a curated list. Being listed in
awesome-hermes-agentisn't a security audit. Curated lists index what exists, they don't vouch for it. - Running the monitor without ever checking in on it. A DeFi security monitor that alerts into a Telegram chat you've muted is worse than no monitor at all, it gives you false confidence that something's watching. Check the chat, not just the cron status.
- Hardcoding a wallet address you'll rotate later. If you use a fresh wallet for a new project, update the cron job's prompt. A monitor watching last quarter's wallet isn't watching anything useful.
Extending This as Your Portfolio Grows
One wallet, one chain, one cron job is a fine starting point. It stops being enough the moment you're active across two or three chains, which for most builders happens fast.
The straightforward way to scale it: one cron job per wallet-chain pair, each with its own check interval based on how much you actually care about that specific wallet. A treasury wallet might deserve every 30m. A testnet wallet you touch once a month doesn't need checking at all.
Keep the alerts in one Telegram chat rather than splitting across several. A DeFi security monitor is only useful if you actually look at what it sends you, and that's more likely with one place to check than five.
FAQ
Is EVMScope actually free?
Yes. It's open source, requires no API keys, and runs via npx evmscope with zero account setup.
Can this monitor sign a transaction to revoke a bad approval automatically? No, by design. It's read-only. Acting on what it finds, not just alerting, is a different, higher-risk setup entirely.
What happens if the third-party skill pack turns out to be legitimate? Then it's still true that paying for something you can't inspect, over a payment method with no recourse, was the riskier way to find out. The verified free option costs nothing to try first.
Does this only work for Base? No. EVMScope covers seven EVM chains, including Base, Ethereum, Polygon, Arbitrum, Optimism, Avalanche, and BSC. Point it at whichever wallet and chain you actually use.
How is this different from just checking a block explorer manually? A block explorer shows you what happened if you remember to look. A DeFi security monitor checks on a schedule whether you remember or not, and only interrupts you when something actually crosses a risk threshold.
Should I still report the paid skill pack to anyone? If you've already purchased it and it turns out fine, that's useful information worth sharing back with the community list that indexed it. If you haven't paid yet, the free build above answers the same need without that risk in the first place.
Sneak peek: if you want this same Hermes setup to eventually act instead of just watch, sending transactions instead of only flagging them, that's a separate build with its own approval flow and its own risks, covered in Build an Onchain AI Agent.
For more on vetting tools before you trust them with anything crypto-adjacent, check the Guides hub.


