moltis

Name: moltis
Author: moltis-org

Verified

A secure persistent personal agent server in Rust. One binary, sandboxed execution, multi-provider LLMs, voice, memory, Telegram, WhatsApp, Discord, Teams, and MCP tools. Secure by design, runs on your hardware.

2,709stars

320forks

Rust

Added 2/14/2026

View on GitHub Download ZIP

AI Agentsai-agentai-assistantclawdbotllmmcp

Installation

# Add to your Claude Code skills
git clone https://github.com/moltis-org/moltis

Getting Started

Guides for using ai agents skills like moltis.

Caveman: Cut Claude Token Use by 65%
How agent-side prompt compression works, when to use it, and when not to.
What is an AI Skills Marketplace?
Definitions, how marketplaces work, and how to choose between them in 2026.
Getting Started with AI Skills

Security ReportVerified

Last scanned: 4/23/2026

{
  "issues": [],
  "status": "PASSED",
  "scannedAt": "2026-04-23T06:07:19.663Z",
  "semgrepRan": false,
  "npmAuditRan": true,
  "pipAuditRan": true
}

README.md

Agentic AI for Beginners

Build your first AI agent from scratch - tool use, ReAct pattern, memory, deployment

41 minBeginner

Comments (0)

to leave a comment.

No comments yet. Be the first to share your thoughts!

Related Skills

ECC

by affaan-m

The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.

194,955

ruler mirage

Moltis — A secure persistent personal agent server in Rust

One binary — sandboxed, secure, yours.

Installation • Comparison • Architecture • Security • Features • How It Works • Contributing

Moltis recently hit the front page of Hacker News. Please open an issue for any friction at all. I'm focused on making Moltis excellent.

Secure by design — Your keys never leave your machine. Every command runs in a sandboxed container, never on your host.

Your hardware — Runs on a Mac Mini, a Raspberry Pi, or any server you own. One Rust binary, no Node.js, no npm, no runtime.

Full-featured — Voice, memory, cross-session recall, automatic edit checkpoints, scheduling, Telegram, Signal, Discord, browser automation, MCP servers, SSH or node-backed remote exec, managed deploy keys with host pinning in the web UI, a live Settings → Tools inventory, Cursor-compatible project context, and context-file threat scanning — all built-in. No plugin marketplace to get supply-chain attacked through.

Auditable — The agent runner and model interface fit in ~7.5K lines, with providers in ~19K more. The Rust workspace is ~270K lines across 59 modular crates you can audit independently, with 470+ Rust files containing tests. Unsafe code is isolated to FFI and precompiled runtime boundaries, not the core agent loop.

Installation

# One-liner install script (macOS / Linux)
curl -fsSL https://www.moltis.org/install.sh | sh

# macOS / Linux via Homebrew
brew install moltis-org/tap/moltis

# Docker (multi-arch: amd64/arm64)
docker pull ghcr.io/moltis-org/moltis:latest

# Or build from source
cargo install moltis --git https://github.com/moltis-org/moltis

Comparison

| | OpenClaw | Hermes Agent | Moltis | |---|---|---|---| | Primary stack | TypeScript + Swift/Kotlin companion apps | Python + TypeScript TUI/web surfaces | Rust | | Runtime | Node.js + npm/pnpm/bun | Python + uv/pip, optional Node UI pieces | Single Rust binary | | Local checkout size* | ~1.1M app LoC | ~152K app LoC | ~270K Rust LoC | | Architecture | Broad gateway, channel, node, and app ecosystem | CLI/gateway agent with learning loop and research tooling | Persistent personal agent server with modular crates | | Crates/modules | npm packages, extensions, apps | Python packages, plugins, tools, TUI | 59 Rust workspace crates | | Sandbox/backends | App-level permissions, browser/node tools | Local, Docker, SSH, Daytona, Singularity, Modal | Docker/Podman + Apple Container + WASM | | Auth/access | Pairing and local gateway controls | CLI and messaging gateway setup | Password + Passkey + API keys + Vault | | Voice I/O | Voice wake and talk modes | Voice memo transcription | Built-in STT + TTS providers | | MCP | Plugin/integration support | MCP integration | stdio + HTTP/SSE | | Skills | Bundled, managed, and workspace skills | Self-improving skills and Skills Hub support | Bundled/workspace skills + autonomous improvement + OpenClaw import | | Memory/RAG | Plugin-backed memory and context engine | Agent-curated memory, session search, user modeling | SQLite + FTS + vector memory |

* LoC measured with tokei, excluding node_modules, generated build output, dist, and target.

Full comparison in the docs →

Architecture — Crate Map

Current Rust workspace: ~270K LoC across 59 crates. The table below groups the main crates by role so the architecture stays scannable.

Core runtime:

| Crate | LoC | Role | |-------|-----|------| | moltis-gateway | 37.4K | HTTP/WS server, RPC, auth, startup wiring | | moltis-tools | 37.0K | Tool execution, sandboxing, WASM tools | | moltis-providers | 18.9K | LLM provider implementations | | moltis-agents | 14.5K | Agent loop, streaming, prompt assembly | | moltis-chat | 14.2K | Chat engine, agent orchestration | | moltis-config | 10.3K | Configuration, validation | | moltis-httpd | 9.9K | HTTP server primitives and middleware | | moltis (CLI) | 4.7K | Entry point, CLI commands | | moltis-sessions | 3.5K | Session persistence | | moltis-common | 1.5K | Shared utilities | | moltis-service-traits | 1.2K | Shared service interfaces | | moltis-protocol | 0.7K | Wire protocol types |

Feature and integration crates:

| Category | Crates | Combined LoC | |----------|--------|-------------| | Channels | moltis-telegram, moltis-whatsapp, moltis-signal, moltis-discord, moltis-msteams, moltis-matrix, moltis-slack, moltis-nostr, moltis-channels | 34.0K | | Web and APIs | moltis-web, moltis-graphql, moltis-webhooks | 10.8K | | Extensibility | moltis-mcp, moltis-mcp-agent-bridge, moltis-skills, moltis-plugins | 11.5K | | Memory and context | moltis-memory, moltis-qmd, moltis-code-index, moltis-projects | 11.7K | | Voice and browser | moltis-voice, moltis-browser | 9.2K | | Auth and security | moltis-auth, moltis-oauth, moltis-vault, moltis-secret-store, moltis-network-filter, moltis-tls | 8.5K | | Scheduling and automation | moltis-cron, moltis-caldav, moltis-auto-reply | 4.7K | | Setup and import | moltis-provider-setup, moltis-openclaw-import, moltis-onboarding | 11.7K | | Native and node hosts | moltis-swift-bridge, moltis-node-host, moltis-courier | 5.7K | | WASM tools | moltis-wasm-precompile, moltis-wasm-calc, moltis-wasm-web-fetch, moltis-wasm-web-search | 1.4K | | Supporting crates | moltis-media, moltis-metrics, moltis-tailscale, moltis-routing, moltis-canvas, moltis-schema-export, benchmarks | 2.1K |

Use --no-default-features --features lightweight for constrained devices (Raspberry Pi, etc.).

Security

Small unsafe surface — core agent/gateway code stays safe Rust; unsafe is isolated to Swift FFI, local model wrappers, and precompiled WASM boundaries
Sandboxed execution — Docker + Apple Container, per-session isolation
Secret handling — secrecy::Secret, zeroed on drop, redacted from tool output
Authentication — password + passkey (WebAuthn), rate-limited, per-IP throttle
SSRF protection — DNS-resolved, blocks loopback/private/link-local
Origin validation — rejects cross-origin WebSocket upgrades
Hook gating — BeforeToolCall hooks can inspect/block any tool invocation
Supply chain integrity — artifact attestations, Sigstore keyless signing, GPG signing (YubiKey), SHA-256/SHA-512 checksums

See Security Architecture for details. Verify releases with gh attestation verify <artifact> -R moltis-org/moltis or see Release Verification.

Features

AI Gateway — Multi-provider LLM support (OpenAI Codex, GitHub Copilot, Local), streaming responses, agent loop with sub-agent delegation, session modes, parallel tool execution
Communication — Web UI, Telegram, Signal, Microsoft Teams, Discord, API access, voice I/O (8 TTS + 7 STT providers), mobile PWA with push notifications
Memory & Recall — Per-agent memory workspaces, embeddings-powered long-term memory, hybrid vector + full-text search, session persistence with auto-compaction, cross-session recall, Cursor-compatible project context, context-file safety scanning
Safer Agent Editing — Automatic checkpoints before built-in skill and memory mutations, restore tooling, session branching
Extensibility — MCP servers (stdio + HTTP/SSE), skill system, 15 lifecycle hook events with circuit breaker, destructive command guard
Security — Encryption-at-rest vault (XChaCha20-Poly1305 + Argon2id), password + passkey + API key auth, sandbox isolation, SSRF/CSWSH protection
Operations — Cron scheduling, OpenTelemetry tracing, Prometheus metrics, cloud deploy (Fly.io, DigitalOcean), Tailscale integration, managed SSH deploy keys, host-pinned remote targets, live tool inventory in Settings, and CLI/web remote-exec doctor flows

How It Works

Moltis is a local-first persistent agent server — a single Rust binary that sits between you and multiple LLM providers, keeps durable session state, and can meet you across channels without handing your data to a cloud relay.

┌─────────────┐  ┌─────────────┐  ┌─────────────┐
│   Web UI    │  │  Telegram   │  │  Discord    │
└──────┬──────┘  └──────┬──────┘  └──────┬──────┘
       │                │                │
       └────────┬───────┴────────┬───────┘
                │   WebSocket    │
                ▼                ▼
        ┌─────────────────────────────────┐
        │          Gateway Server         │
        │   (Axum · HTTP · WS · Auth)     │
        ├─────────────────────────────────┤
        │        Chat Service             │
        │  ┌────