Works hard. Remembers everything. Answers to no one, but you.
Salmex I/O is a personal AI operations platform that lives on your machine — with persistent memory, agentic reasoning, multi-channel reach, and a safety system that escalates to you, not a corporate policy team.
See it in action
Download, set up, and watch memory, search, and scheduling work together — in under 4 minutes.
The problem with your AI
It wants you trapped
OpenAI wants you on ChatGPT. Google wants you on Gemini. Anthropic just cut off third-party tools from Claude subscriptions overnight. They build walls, not bridges — and they'd rather you stay than let you choose freely.
It won't come to you
Your real conversations happen in WhatsApp, iMessage, Telegram, Slack. Your AI never goes there. You're supposed to open their app, copy-paste context, switch tabs. You adapt to them every single time.
It answers to someone else
You ask a reasonable question and get refused — not because it's harmful, but because a policy team decided it's uncomfortable. Rate limits, their rules, their pricing. You just rent access.
Your memory is their silo
Switch from Gemini to ChatGPT and start from scratch. Your preferences, context, decisions — locked inside each provider's walled garden. Your history belongs to them.
Your AI should be infrastructure you own, not a service you rent.
It should get better the longer you use it.
It should answer to you — and only you.
That's what we're building.
What Salmex I/O does
Your Infrastructure. Your Rules.
Database, memory, channels, scheduling, config — all on your machine. Your data never leaves. Three ways to run the brain: Managed Inference (our own hosted open-source models, 5–21× cheaper than cloud AI, no keys needed), bring your own key for Anthropic, OpenAI or Gemini, or fully local with Ollama.
The brain is your choice. The infrastructure is yours.
Search. Browse. Code. Act.
Embedded coding agent that creates custom programs on the fly when a task demands it. Multi-engine search — Perplexity, Brave, Google — with deep research. Browser automation. Extensible plugin system. Not a chatbot. An agent that does things.
Skills, sub-agents, session branching — it handles the work.
Every Action Reviewed Before It Runs.
An LLM judge reviews every tool call before execution. Four risk levels. High-risk actions escalate to you for approval — via Telegram, Slack, or wherever you are. Prompt injection scanning, secret leak detection, and PII redaction ship in the binary. Not a checkbox. Three security layers deep.
Remembers You. Reaches You. Runs For You.
Persistent memory across every channel and every LLM — hybrid vector + BM25 retrieval that extracts facts, not just chat history. Multi-channel reach — Desktop, Telegram, Slack — with more channels coming. Built-in scheduler with natural language and cron. A native macOS app that feels like it belongs on your dock.
Security that ships in the binary
Every Salmex I/O install includes hardened security — running locally, with zero cloud dependency. No add-on. No extra cost.
Secret & Credential Leak Detection
Every outbound LLM request is scanned for API keys, passwords, tokens, and private keys before it leaves your machine. Catches accidental leaks before they reach any provider.
PII Redaction
Detects and masks personal data — emails, phone numbers, government IDs, credit cards — before sending to cloud LLM providers. Your private information never reaches external servers.
Prompt Injection Scanning
Every tool output and plugin response is scanned for injection attempts before reaching the agent. Essential rules ship in every release. Pro adds cloud-updated rules — multi-lingual, weekly updates, zero-day coverage.
How it's built
Eight architectural layers. JSON-RPC gateway. Lane-based concurrency. Plugin system with crash recovery. DB-driven hot-reload configuration with AES-256-GCM encrypted secrets. Built in Go and SvelteKit — not a wrapper around someone else's API.
Under the hood
Cloud AI vs. your AI
Why not OpenClaw?
OpenClaw hit 250,000 GitHub stars — faster than React.
Then the security audits started.
512 vulnerabilities. 8 critical.
An independent audit scored OpenClaw 1.2 out of 5 for enterprise readiness. Since then, 5+ additional CVEs have been disclosed — including command injection, SHA-1 cache poisoning, PATH hijacking, TAR path traversal, and voice-based RCE. Microsoft says it is "not appropriate to run on a standard personal or enterprise workstation."
One-click remote code execution.
CVE-2026-25253. Visit a single malicious web page, and an attacker can execute arbitrary commands on your machine. The gateway doesn't validate WebSocket origins. Over 220,000 instances have been found exposed to the public internet — 17,500+ confirmed vulnerable to RCE.
API keys stored in plain text.
Your OpenAI, AWS, GitHub, and Slack credentials sit unencrypted in ~/.openclaw by default. OpenClaw added an opt-in SecretRef system, but plaintext remains the default. RedLine, Lumma, and Vidar infostealers now specifically target that directory — Hudson Rock called it "the first observed case of an infostealer stealing the complete identity of a personal AI agent." 1,184+ malicious skills found on ClawHub, 36% containing prompt injection.
Auth disabled by default.
The gateway ships internet-accessible with zero authentication. Palo Alto Networks calls it a "lethal trifecta": access to private data, exposure to untrusted content, and the ability to communicate externally. A Meta AI alignment director's agent deleted her emails despite repeated "STOP" commands — she had to physically run to her Mac Mini to kill it. No judge system. No risk assessment. Every command runs with your full permissions.
What security experts are saying.
"Not appropriate to run on a standard personal or enterprise workstation. Should be treated as untrusted code execution with persistent credentials."
Microsoft Security Blog
"A lethal trifecta: access to private data, exposure to untrusted content, and the ability to communicate externally. Persistent memory acts as an accelerant."
Palo Alto Networks
Salmex I/O is built differently.
AES-256-GCM encrypted config.
Every secret — API keys, bot tokens, credentials — encrypted at rest in PostgreSQL. Not opt-in. Not a bolt-on. Encrypted by default from day one. DB-driven with hot-reload, change history, and rollback.
4-tier judge system.
An LLM judge reviews every tool call before execution. Four risk levels. High-risk actions require explicit approval — escalated to you via Telegram in real time. When an action is risky, the agent pauses and asks. It doesn't speed-run your inbox. Confidence scoring, decision caching, per-session context.
Real memory. Not chat history.
Hybrid vector + BM25 retrieval with confidence decay, extraction pipelines, and consolidation. Our memory system extracts and consolidates — it doesn't blindly persist injected instructions. Salmex I/O extracts facts, preferences, decisions, and entities with automatic dedup, volatility filtering, and periodic consolidation.
Go. Not Node.js.
Single binary. No npm supply chain. No 1,200-dependency node_modules. Compiled, statically typed, memory-safe. Deploys as one file. Starts in milliseconds. No runtime required.
We started with a question: can you trust an AI agent with your actual machine?
We explored running autonomous AI agents on a real dev environment. Then we read the security audits. Credentials in plain text. Auth off by default. No review on tool calls. Any malicious webpage could hijack the WebSocket and execute commands on your machine.
We wanted three things: an AI that's safe enough to trust with real hardware and real credentials, capable enough to actually act on your behalf, and fully yours — running on your machine, with your data, accountable to you.
Nothing on the market checked every box. So we built it. Salmex I/O is independent: no venture capital, no corporate roadmap, no data mining. A team building the tool we needed — and shipping it to everyone who needs it too.
Salmex I/O has been sunset.
It's no longer available to download or sign up for. This site remains as a record of what was built. Read more →