Salmex I/O is a personal AI operations platform that runs locally on your machine. It provides persistent long-term memory, multi-channel communication (Telegram, WhatsApp, iMessage, Discord, Slack, and more), agentic reasoning with multi-provider LLM support (Anthropic, OpenAI, Gemini, Ollama), and human-in-the-loop safety via an LLM judge system.

Yes. The Free tier includes unlimited memory, full agentic capabilities, the safety judge, scheduler, search, plugins, and desktop chat plus one external channel — free forever for personal use. Pro ($9/month, billed annually) unlocks unlimited channels, managed remote access, advanced security rules, proactive delivery, and commercial use.

How is Salmex I/O different from ChatGPT or Claude?

Unlike cloud AI chatbots, Salmex I/O runs on your machine, gives you persistent memory across all channels and providers, lets you choose any LLM (Anthropic, OpenAI, Gemini, or local via Ollama), and includes an agentic execution engine with a safety system that escalates to you rather than a corporate policy team. Your data never leaves your infrastructure.

What LLM providers does Salmex I/O support?

Salmex I/O supports Anthropic (Claude), OpenAI (GPT-4.1, o3), Google Gemini, and fully local inference via Ollama. You bring your own API keys and can switch providers at any time without losing context.

How does the safety system work?

Every tool call passes through a structured pipeline with an LLM judge — a separate model that reviews high-impact actions before they execute. There are four risk levels: low-risk actions run instantly, high-risk actions (code execution, sending messages, external API calls) require your explicit approval via your preferred channel.

Runs locally. Remembers everything. Answers to no one.

Salmex I/O is a personal AI operations platform that lives on your machine — with persistent memory, agentic reasoning, multi-channel reach, and a safety system that escalates to you, not a corporate policy team.

Why this exists Join Discord

See it in action

Install, configure, chat, connect Telegram, and watch memory carry across channels — in under 9 minutes.

salmex i/o — product demo

The problem with your AI

It wants you trapped

OpenAI wants you on ChatGPT. Google wants you on Gemini. Each builds walls, not bridges. The best model for code isn't the best for research — but they'd rather you stay than let you choose freely.

It won't come to you

Your real conversations happen in WhatsApp, iMessage, Telegram. Your AI never goes there. You're supposed to open their product, copy-paste, switch context. You adapt to them. Every time.

It answers to someone else

You ask a reasonable question and get refused — not because it's harmful, but because a policy team decided it's uncomfortable. Rate limits, their rules, their pricing. You just rent access.

Your memory is their silo

Switch from Gemini to ChatGPT and start from scratch. Your preferences, context, decisions — locked inside each provider's walled garden. Your history belongs to them.

Your AI should be infrastructure you own, not a service you rent.
It should get better the longer you use it.
It should answer to you — and only you.
That's what we're building.

What Salmex I/O does

Your Infrastructure. Your Rules.

Database, memory, channels, scheduling, config — all on your machine. Your data never leaves. Pick any LLM provider: Anthropic, OpenAI, Gemini via API, or run fully local with Ollama.

The brain is your choice. The infrastructure is yours.

Search. Browse. Code. Act.

Embedded coding agent that creates custom programs on the fly when a task demands it. Multi-engine search — Perplexity, Brave, Google — with deep research. Browser automation. Extensible plugin system. Not a chatbot. An agent that does things.

Skills, sub-agents, session branching — it handles the work.

Every Action Reviewed Before It Runs.

An LLM judge reviews every tool call before execution. Four risk levels. High-risk actions escalate to you for approval — via Telegram, Slack, or wherever you are. Prompt injection scanning, secret leak detection, and PII redaction ship in the binary. Not a checkbox. Three security layers deep.

Remembers You. Reaches You. Runs For You.

Persistent memory across every channel and every LLM — hybrid vector + BM25 retrieval that extracts facts, not just chat history. Multi-channel reach — Telegram, Slack, Discord, desktop, CLI, web. Built-in scheduler with natural language and cron. A native macOS app that feels like it belongs on your dock.

Security that ships in the binary

Every Salmex I/O install includes hardened security — running locally, with zero cloud dependency. No add-on. No extra cost.

Secret & Credential Leak Detection

Every outbound LLM request is scanned for API keys, passwords, tokens, and private keys before it leaves your machine. Catches accidental leaks before they reach any provider.

PII Redaction

Detects and masks personal data — emails, phone numbers, government IDs, credit cards — before sending to cloud LLM providers. Your private information never reaches external servers.

Prompt Injection Scanning

Every tool output and plugin response is scanned for injection attempts before reaching the agent. Essential rules ship in every release. Pro adds cloud-updated rules — multi-lingual, weekly updates, zero-day coverage.

How it's built

salmex i/o 8 layers

Input

01 Channel Telegram · Slack · WhatsApp · CLI · Web

02 Gateway JSON-RPC · Auth · Routing · Lane Queue

Processing

03 Agent Reason · Act · Observe · Coder Embed

04 Judge Risk Tiers · Escalation · Audit Log

05 Memory pgvector · BM25 · Extraction · Decay

06 Plugin JSON-RPC 2.0 · Subprocess · Recovery

Scheduling

07 Scheduler Cron · Natural Language · DLQ

Output

08 UI Dashboard · SSE · JSON-RPC API

Across all layers

Event Bus Config Manager Delivery Platform Toolkit

Eight architectural layers. JSON-RPC gateway. Lane-based concurrency. Plugin system with crash recovery. DB-driven hot-reload configuration with AES-256-GCM encrypted secrets. Built in Go and SvelteKit — not a wrapper around someone else's API.

Under the hood

Multi-provider LLM pgvector hybrid memory Cron + NL scheduling JSON-RPC 2.0 plugins AES-256-GCM config 40+ typed events Embedded coding agent

LLM providers Anthropic OpenAI Gemini Ollama

Search Perplexity Brave Google

Cloud AI vs. your AI

Cloud AI Salmex I/O

Memory Resets every session Persistent across sessions and channels

Data Sent to their servers Never leaves your machine

Models Their models, their API Provider-agnostic, local AI support

Limits Rate-limited, tier-gated Your hardware, no usage caps

Safety Corporate policy, their veto You control, you approve or deny

Execution Chat only or locked-down actions Full and safe access to your hardware

Channels One app, one place Same agent, Telegram to Slack to Desktop

Proactive You go to them Reaches you: proactive agent, reminders

Scan before LLM Sent straight to their models PII, secrets, injection scanned before any LLM

Uptime Their infrastructure Works offline

No limits on what matters.

Full memory. Full safety. Full AI. Free forever for personal use.
Pro unlocks multi-channel, advanced security, proactive agent, and smart delivery.

Free

$0 forever

For individuals, students, non-profits & education

Unlimited memory, all features
Desktop + 1 external channel
Every LLM provider (BYOK)
Full safety judge & scheduler
Secret leak & PII protection
Runs on your machine

No account required

Full daemon

Pro

$9 /month, billed annually

The full autonomous daemon — multi-channel, advanced security

Unlimited simultaneous channels
Managed remote access (easy channels integration)
Advanced prompt injection scanning
Proactive agent, quiet hours, smart routing
Commercial use licence

Billed annually. 30-day money-back guarantee.

CPU

$99 /month

Dedicated bare-metal server

Everything in Pro
Dedicated physical server
Always on — no uptime worries, no connection issues
Not a VM — real hardware
We handle maintenance, backups & security
Full read access via SSH
Project source code inspection

Limited slots — each server is individually provisioned.

Coming soon

GPU

$249 /month

Dedicated GPU bare-metal server

Dedicated GPU server
Fully local LLM inference — no need for 3rd party APIs
Run your AI on any open-source model via Ollama
Zero data leaves your server

GPU servers are coming soon — register and we'll notify you first.

Dedicated bare-metal. Not a cloud VM.

CPU and GPU plans run on dedicated physical servers — not shared virtual machines on AWS or Google Cloud. No hyperscaler middleman. No noisy neighbours. No one else's code touching your hardware.

Your data. Your server. Your rules.

Salmex I/O is independently built. No venture capital. No ads. No data mining.
We're accountable to users, not investors.

See full licence terms

Why not OpenClaw?

OpenClaw hit 250,000 GitHub stars — faster than React.
Then the security audits started.

512 vulnerabilities. 8 critical.

An independent audit scored OpenClaw 1.2 out of 5 for enterprise readiness. Since then, 5+ additional CVEs have been disclosed — including command injection, SHA-1 cache poisoning, PATH hijacking, TAR path traversal, and voice-based RCE. Microsoft says it is "not appropriate to run on a standard personal or enterprise workstation."

One-click remote code execution.

CVE-2026-25253. Visit a single malicious web page, and an attacker can execute arbitrary commands on your machine. The gateway doesn't validate WebSocket origins. Over 220,000 instances have been found exposed to the public internet — 17,500+ confirmed vulnerable to RCE.

API keys stored in plain text.

Your OpenAI, AWS, GitHub, and Slack credentials sit unencrypted in ~/.openclaw by default. OpenClaw added an opt-in SecretRef system, but plaintext remains the default. RedLine, Lumma, and Vidar infostealers now specifically target that directory — Hudson Rock called it "the first observed case of an infostealer stealing the complete identity of a personal AI agent." 1,184+ malicious skills found on ClawHub, 36% containing prompt injection.

Auth disabled by default.

The gateway ships internet-accessible with zero authentication. Palo Alto Networks calls it a "lethal trifecta": access to private data, exposure to untrusted content, and the ability to communicate externally. A Meta AI alignment director's agent deleted her emails despite repeated "STOP" commands — she had to physically run to her Mac Mini to kill it. No judge system. No risk assessment. Every command runs with your full permissions.

What security experts are saying.

"Not appropriate to run on a standard personal or enterprise workstation. Should be treated as untrusted code execution with persistent credentials."

Microsoft Security Blog

"A lethal trifecta: access to private data, exposure to untrusted content, and the ability to communicate externally. Persistent memory acts as an accelerant."

Palo Alto Networks

Salmex I/O is built differently.

AES-256-GCM encrypted config.

Every secret — API keys, bot tokens, credentials — encrypted at rest in PostgreSQL. Not opt-in. Not a bolt-on. Encrypted by default from day one. DB-driven with hot-reload, change history, and rollback.

4-tier judge system.

An LLM judge reviews every tool call before execution. Four risk levels. High-risk actions require explicit approval — escalated to you via Telegram in real time. When an action is risky, the agent pauses and asks. It doesn't speed-run your inbox. Confidence scoring, decision caching, per-session context.

Real memory. Not chat history.

Hybrid vector + BM25 retrieval with confidence decay, extraction pipelines, and consolidation. Our memory system extracts and consolidates — it doesn't blindly persist injected instructions. Salmex I/O extracts facts, preferences, decisions, and entities with automatic dedup, volatility filtering, and periodic consolidation.

Go. Not Node.js.

Single binary. No npm supply chain. No 1,200-dependency node_modules. Compiled, statically typed, memory-safe. Deploys as one file. Starts in milliseconds. No runtime required.

OpenClaw Salmex I/O

Secrets Plaintext default, opt-in SecretRef AES-256-GCM in PostgreSQL

Tool safety No review, full permissions LLM judge, 4 risk tiers

Memory Chat history + basic recall Hybrid vector + BM25, RRF fusion

Runtime Node.js + 1,200 deps Single Go binary

Plugins npm skills, 1,184+ malicious found JSON-RPC 2.0, subprocess-isolated

Auth Off by default API key + HMAC verification

Scheduling Cron via skills Built-in cron + NL + DLQ

Delivery Direct send per channel Outbox, routing, retry — Pro adds quiet hours

I'm Salmen Hichri, product engineer in London.

I was exploring running autonomous AI agents on my dev box. Then I read the security audits. Credentials in plain text. Auth off by default. No review on tool calls. Any malicious webpage could hijack the WebSocket and execute commands on your machine.

I wanted three things: an AI that's safe enough to trust with my hardware and real credentials, capable enough to actually act on my behalf, and fully mine — running on my machine, with my data, accountable to me.

Nothing on the market checked every box, so I built it — the AI agent I'd trust with my own machine. Salmex I/O is an independent project: no venture capital, no corporate roadmap, no data mining. Just one engineer building the tool he needed.

Salmex I/O is ready.

Full memory. Full safety. Full AI. Free forever for personal use.

Built by Salmen Hichri

London. 2026.