Moltis — A Rust-native claw you can trust

One binary — sandboxed, secure, yours.

Installation • Comparison • Architecture • Security • Features • How It Works • Contributing

---

Moltis recently hit the front page of Hacker News. Please open an issue for any friction at all. I'm focused on making Moltis excellent.

Secure by design — Your keys never leave your machine. Every command runs in a sandboxed container, never on your host.

Your hardware — Runs on a Mac Mini, a Raspberry Pi, or any server you own. One Rust binary, no Node.js, no npm, no runtime.

Full-featured — Voice, memory, scheduling, Telegram, browser automation, MCP servers — all built-in. No plugin marketplace to get supply-chain attacked through.

Auditable — The agent loop + provider model fits in ~5K lines. The core (excluding the optional web UI) is ~121K lines across modular crates you can audit independently, with 2,300+ tests and zero unsafe code*.

Installation

# One-liner install script (macOS / Linux)
curl -fsSL https://www.moltis.org/install.sh | sh

# macOS / Linux via Homebrew
brew install moltis-org/tap/moltis

# Docker (multi-arch: amd64/arm64)
docker pull ghcr.io/moltis-org/moltis:latest

# Or build from source
cargo install moltis --git https://github.com/moltis-org/moltis

Comparison

	OpenClaw	PicoClaw	NanoClaw	ZeroClaw	Moltis
Language	TypeScript	Go	TypeScript	Rust	Rust
Agent loop	~430K LoC	Small	~500 LoC	~3.4K LoC	~5K LoC (runner.rs + model.rs)
Full codebase	—	—	—	1,000+ tests	~124K LoC (2,300+ tests)
Runtime	Node.js + npm	Single binary	Node.js	Single binary (3.4 MB)	Single binary (44 MB)
Sandbox	App-level	—	Docker	Docker	Docker + Apple Container
Memory safety	GC	GC	GC	Ownership	Ownership, zero unsafe*
Auth	Basic	API keys	None	Token + OAuth	Password + Passkey + API keys
Voice I/O	Plugin	—	—	—	Built-in (15+ providers)
MCP	Yes	—	—	—	Yes (stdio + HTTP/SSE)
Hooks	Yes (limited)	—	—	—	15 event types
Skills	Yes (store)	Yes	Yes	Yes	Yes (+ OpenClaw Store)
Memory/RAG	Plugin	—	Per-group	SQLite + FTS	SQLite + FTS + vector

* unsafe is denied workspace-wide. The only exceptions are opt-in FFI wrappers behind the local-embeddings feature flag, not part of the core.

Full comparison with benchmarks →

Architecture — Crate Map

Core (always compiled):

Crate	LoC	Role
moltis (cli)	2.4K	Entry point, CLI commands
moltis-agents	20.1K	LLM providers, agent loop, streaming
moltis-gateway	29.2K	HTTP/WS server, RPC, auth
moltis-chat	10.2K	Chat engine, agent orchestration
moltis-tools	13.4K	Tool execution, sandbox
moltis-config	5.1K	Configuration, validation
moltis-sessions	2.7K	Session persistence
moltis-plugins	1.4K	Hook dispatch, plugin formats
moltis-common	0.8K	Shared utilities

Optional (feature-gated or additive):

Category	Crates	Combined LoC
Web UI	moltis-web	4.3K
Voice	moltis-voice	4.7K
Memory	moltis-memory, moltis-qmd	5.8K
Channels	moltis-telegram, moltis-channels	6.4K
Browser	moltis-browser	4.8K
Scheduling	moltis-cron	3.8K
Extensibility	moltis-mcp, moltis-skills	7.4K
Auth/OAuth	moltis-oauth, moltis-onboarding	2.8K
Metrics	moltis-metrics	1.7K
Other	moltis-projects, moltis-routing, moltis-protocol, moltis-media, moltis-canvas, moltis-auto-reply	2.4K

Use --no-default-features --features lightweight for constrained devices (Raspberry Pi, etc.).

Security

• Zero unsafe code* — denied workspace-wide; only opt-in FFI behind local-embeddings flag
• Sandboxed execution — Docker + Apple Container, per-session isolation
• Secret handling — secrecy::Secret, zeroed on drop, redacted from tool output
• Authentication — password + passkey (WebAuthn), rate-limited, per-IP throttle
• SSRF protection — DNS-resolved, blocks loopback/private/link-local
• Origin validation — rejects cross-origin WebSocket upgrades
• Hook gating — BeforeToolCall hooks can inspect/block any tool invocation

See Security Architecture for details.

Features

• AI Gateway — Multi-provider LLM support (OpenAI Codex, GitHub Copilot, Local), streaming responses, agent loop with sub-agent delegation, parallel tool execution
• Communication — Web UI, Telegram, API access, voice I/O (8 TTS + 7 STT providers), mobile PWA with push notifications
• Memory & Context — Embeddings-powered long-term memory, hybrid vector + full-text search, session persistence with auto-compaction, project context
• Extensibility — MCP servers (stdio + HTTP/SSE), skill system, 15 lifecycle hook events with circuit breaker, destructive command guard
• Operations — Cron scheduling, OpenTelemetry tracing, Prometheus metrics, cloud deploy (Fly.io, DigitalOcean), Tailscale integration

How It Works

Moltis is a local-first AI gateway — a single Rust binary that sits between you and multiple LLM providers. Everything runs on your machine; no cloud relay required.

┌─────────────┐  ┌─────────────┐  ┌─────────────┐
│   Web UI    │  │  Telegram   │  │  Discord    │
└──────┬──────┘  └──────┬──────┘  └──────┬──────┘
       │                │                │
       └────────┬───────┴────────┬───────┘
                │   WebSocket    │
                ▼                ▼
        ┌─────────────────────────────────┐
        │          Gateway Server         │
        │   (Axum · HTTP · WS · Auth)     │
        ├─────────────────────────────────┤
        │        Chat Service             │
        │  ┌───────────┐ ┌─────────────┐  │
        │  │   Agent   │ │    Tool     │  │
        │  │   Runner  │◄┤   Registry  │  │
        │  └─────┬─────┘ └─────────────┘  │
        │        │                        │
        │  ┌─────▼─────────────────────┐  │
        │  │    Provider Registry      │  │
        │  │  Multiple providers       │  │
        │  │  (Codex · Copilot · Local)│  │
        │  └───────────────────────────┘  │
        ├─────────────────────────────────┤
        │  Sessions  │ Memory  │  Hooks   │
        │  (JSONL)   │ (SQLite)│ (events) │
        └─────────────────────────────────┘
                       │
               ┌───────▼───────┐
               │    Sandbox    │
               │ Docker/Apple  │
               │  Container    │
               └───────────────┘

See Quickstart for gateway startup, message flow, sessions, and memory details.

Getting Started

Build & Run

git clone https://github.com/moltis-org/moltis.git
cd moltis
cargo build --release
cargo run --release

Open https://moltis.localhost:3000. On first run, a setup code is printed to the terminal — enter it in the web UI to set your password or register a passkey.

Optional flags: --config-dir /path/to/config --data-dir /path/to/data

Docker

# Docker / OrbStack
docker run -d \
  --name moltis \
  -p 13131:13131 \
  -p 13132:13132 \
  -v moltis-config:/home/moltis/.config/moltis \
  -v moltis-data:/home/moltis/.moltis \
  -v /var/run/docker.sock:/var/run/docker.sock \
  ghcr.io/moltis-org/moltis:latest

Open https://localhost:13131 and complete the setup. See Docker docs for Podman, OrbStack, TLS trust, and persistence details.

Cloud Deployment

Provider	Deploy
DigitalOcean

Fly.io (CLI):

fly launch --image ghcr.io/moltis-org/moltis:latest
fly secrets set MOLTIS_PASSWORD="your-password"

All cloud configs use --no-tls because the provider handles TLS termination. See Cloud Deploy docs for details.

Star History

License

MIT