Works hard. Remembers everything. Answers to no one, but you.

Salmex I/O is a personal AI operations platform that lives on your machine — with persistent memory, agentic reasoning, multi-channel reach, and a safety system that escalates to you, not a corporate policy team.

See it in action

Download, set up, and watch memory, search, and scheduling work together — in under 4 minutes.

The problem with your AI

It wants you trapped

OpenAI wants you on ChatGPT. Google wants you on Gemini. Anthropic just cut off third-party tools from Claude subscriptions overnight. They build walls, not bridges — and they'd rather you stay than let you choose freely.

It won't come to you

Your real conversations happen in WhatsApp, iMessage, Telegram, Slack. Your AI never goes there. You're supposed to open their app, copy-paste context, switch tabs. You adapt to them every single time.

It answers to someone else

You ask a reasonable question and get refused — not because it's harmful, but because a policy team decided it's uncomfortable. Rate limits, their rules, their pricing. You just rent access.

Your memory is their silo

Switch from Gemini to ChatGPT and start from scratch. Your preferences, context, decisions — locked inside each provider's walled garden. Your history belongs to them.

Your AI should be infrastructure you own, not a service you rent.
It should get better the longer you use it.
It should answer to you — and only you.
That's what we're building.

What Salmex I/O does

Your Infrastructure. Your Rules.

Database, memory, channels, scheduling, config — all on your machine. Your data never leaves. Three ways to run the brain: Managed Inference (our own hosted open-source models, 5–21× cheaper than cloud AI, no keys needed), bring your own key for Anthropic, OpenAI or Gemini, or fully local with Ollama.

The brain is your choice. The infrastructure is yours.

Search. Browse. Code. Act.

Embedded coding agent that creates custom programs on the fly when a task demands it. Multi-engine search — Perplexity, Brave, Google — with deep research. Browser automation. Extensible plugin system. Not a chatbot. An agent that does things.

Skills, sub-agents, session branching — it handles the work.

Every Action Reviewed Before It Runs.

An LLM judge reviews every tool call before execution. Four risk levels. High-risk actions escalate to you for approval — via Telegram, Slack, or wherever you are. Prompt injection scanning, secret leak detection, and PII redaction ship in the binary. Not a checkbox. Three security layers deep.

Remembers You. Reaches You. Runs For You.

Persistent memory across every channel and every LLM — hybrid vector + BM25 retrieval that extracts facts, not just chat history. Multi-channel reach — Desktop, Telegram, Slack — with more channels coming. Built-in scheduler with natural language and cron. A native macOS app that feels like it belongs on your dock.

Security that ships in the binary

Every Salmex I/O install includes hardened security — running locally, with zero cloud dependency. No add-on. No extra cost.

Secret & Credential Leak Detection

Every outbound LLM request is scanned for API keys, passwords, tokens, and private keys before it leaves your machine. Catches accidental leaks before they reach any provider.

PII Redaction

Detects and masks personal data — emails, phone numbers, government IDs, credit cards — before sending to cloud LLM providers. Your private information never reaches external servers.

Prompt Injection Scanning

Every tool output and plugin response is scanned for injection attempts before reaching the agent. Essential rules ship in every release. Pro adds cloud-updated rules — multi-lingual, weekly updates, zero-day coverage.

How it's built

Eight architectural layers. JSON-RPC gateway. Lane-based concurrency. Plugin system with crash recovery. DB-driven hot-reload configuration with AES-256-GCM encrypted secrets. Built in Go and SvelteKit — not a wrapper around someone else's API.

Under the hood

Multi-provider LLM pgvector hybrid memory Cron + NL scheduling JSON-RPC 2.0 plugins AES-256-GCM config 40+ typed events Embedded coding agent
LLM providers Inference ours Anthropic OpenAI Gemini Ollama
Search Perplexity Brave Google

Cloud AI vs. your AI

Cloud AI Salmex I/O
Memory Resets every session Persistent across sessions and channels
Data Sent to their servers Never leaves your machine
Models Their models, their API Provider-agnostic, local AI support
Limits Rate-limited, tier-gated Your hardware, no usage caps
Safety Corporate policy, their veto You control, you approve or deny
Execution Chat only or locked-down actions Full and safe access to your hardware
Channels One app, one place Same agent, Telegram to Slack to Desktop
Proactive You go to them Reaches you: proactive agent, reminders
Scan before LLM Sent straight to their models PII, secrets, injection scanned before any LLM
Uptime Their infrastructure Works offline

Why not OpenClaw?

OpenClaw hit 250,000 GitHub stars — faster than React.
Then the security audits started.

512 vulnerabilities. 8 critical.

An independent audit scored OpenClaw 1.2 out of 5 for enterprise readiness. Since then, 5+ additional CVEs have been disclosed — including command injection, SHA-1 cache poisoning, PATH hijacking, TAR path traversal, and voice-based RCE. Microsoft says it is "not appropriate to run on a standard personal or enterprise workstation."

One-click remote code execution.

CVE-2026-25253. Visit a single malicious web page, and an attacker can execute arbitrary commands on your machine. The gateway doesn't validate WebSocket origins. Over 220,000 instances have been found exposed to the public internet — 17,500+ confirmed vulnerable to RCE.

API keys stored in plain text.

Your OpenAI, AWS, GitHub, and Slack credentials sit unencrypted in ~/.openclaw by default. OpenClaw added an opt-in SecretRef system, but plaintext remains the default. RedLine, Lumma, and Vidar infostealers now specifically target that directory — Hudson Rock called it "the first observed case of an infostealer stealing the complete identity of a personal AI agent." 1,184+ malicious skills found on ClawHub, 36% containing prompt injection.

Auth disabled by default.

The gateway ships internet-accessible with zero authentication. Palo Alto Networks calls it a "lethal trifecta": access to private data, exposure to untrusted content, and the ability to communicate externally. A Meta AI alignment director's agent deleted her emails despite repeated "STOP" commands — she had to physically run to her Mac Mini to kill it. No judge system. No risk assessment. Every command runs with your full permissions.

What security experts are saying.

"Not appropriate to run on a standard personal or enterprise workstation. Should be treated as untrusted code execution with persistent credentials."

Microsoft Security Blog

"A lethal trifecta: access to private data, exposure to untrusted content, and the ability to communicate externally. Persistent memory acts as an accelerant."

Palo Alto Networks

Salmex I/O is built differently.

AES-256-GCM encrypted config.

Every secret — API keys, bot tokens, credentials — encrypted at rest in PostgreSQL. Not opt-in. Not a bolt-on. Encrypted by default from day one. DB-driven with hot-reload, change history, and rollback.

4-tier judge system.

An LLM judge reviews every tool call before execution. Four risk levels. High-risk actions require explicit approval — escalated to you via Telegram in real time. When an action is risky, the agent pauses and asks. It doesn't speed-run your inbox. Confidence scoring, decision caching, per-session context.

Real memory. Not chat history.

Hybrid vector + BM25 retrieval with confidence decay, extraction pipelines, and consolidation. Our memory system extracts and consolidates — it doesn't blindly persist injected instructions. Salmex I/O extracts facts, preferences, decisions, and entities with automatic dedup, volatility filtering, and periodic consolidation.

Go. Not Node.js.

Single binary. No npm supply chain. No 1,200-dependency node_modules. Compiled, statically typed, memory-safe. Deploys as one file. Starts in milliseconds. No runtime required.

OpenClaw Salmex I/O
Secrets Plaintext default, opt-in SecretRef AES-256-GCM in PostgreSQL
Tool safety No review, full permissions LLM judge, 4 risk tiers
Memory Chat history + basic recall Hybrid vector + BM25, RRF fusion
Runtime Node.js + 1,200 deps Single Go binary
Plugins npm skills, 1,184+ malicious found JSON-RPC 2.0, subprocess-isolated
Auth Off by default API key + HMAC verification
Scheduling Cron via skills Built-in cron + NL + DLQ
Delivery Direct send per channel Outbox, routing, retry — Pro adds quiet hours

We started with a question: can you trust an AI agent with your actual machine?

We explored running autonomous AI agents on a real dev environment. Then we read the security audits. Credentials in plain text. Auth off by default. No review on tool calls. Any malicious webpage could hijack the WebSocket and execute commands on your machine.

We wanted three things: an AI that's safe enough to trust with real hardware and real credentials, capable enough to actually act on your behalf, and fully yours — running on your machine, with your data, accountable to you.

Nothing on the market checked every box. So we built it. Salmex I/O is independent: no venture capital, no corporate roadmap, no data mining. A team building the tool we needed — and shipping it to everyone who needs it too.

Salmex I/O has been sunset.

It's no longer available to download or sign up for. This site remains as a record of what was built. Read more →