Key takeaways
- Single Rust binary with everything built-in — no external dependencies, no npm, just run it
- Full sandboxing (Docker/Apple Container) with per-session isolation
- MCP support, voice (TTS/STT), memory, hooks, cron, OAuth — enterprise-grade feature set
FAQ
What is Moltis?
A Rust-based personal AI gateway — single binary with multi-provider LLM support, sandboxed execution, voice, MCP tools, and multi-channel access.
How much does Moltis cost?
Free and open source (MIT license). You pay for LLM API costs (OpenAI, GitHub Copilot, or local models).
Who competes with Moltis?
OpenClaw (TypeScript, full-featured), ZeroClaw (Rust, security-focused), IronClaw (Rust, self-expanding).
Executive Summary
Moltis is a Rust-based personal AI gateway that packs enterprise-grade features into a single binary. Multi-provider LLMs, sandboxed execution, long-term memory, voice support, MCP tools, cron scheduling, OAuth, and multi-channel access — all without npm, Python, or external dependencies. Built by Fabien Penso and publicly launched in February 2026 as a security-focused answer to the January OpenClaw disclosures, it positions itself as "secure by design" — sandboxed by default, with no plugin marketplace to get supply-chain attacked through [moltis-website]. As of June 2026 it ships releases roughly weekly and offers one-click OpenClaw import [moltis-releases].
| Attribute | Value |
|---|---|
| Language | Rust (~150K LOC, single ~60MB binary) [penso-moltis-announcement] |
| License | MIT [moltis-github] |
| GitHub Stars | 2.7K ★ (as of June 2026) [moltis-github] |
| Install | curl -fsSL moltis.org/install.sh | sh [moltis-website] |
Key Capabilities
| Capability | Description |
|---|---|
| Single binary | No npm, no Python, just moltis |
| Multi-provider | OpenAI, GitHub Copilot (zero-config OAuth), local GGUF/MLX, Hugging Face |
| Sandboxed execution | Docker, Podman, and Apple Container backends |
| MCP support | Connect to MCP tool servers (stdio or HTTP/SSE) with auto-restart |
| Voice | TTS and STT with cloud and local providers |
| Memory | Hybrid vector + full-text long-term memory in SQLite |
| Hooks | Lifecycle hooks with priority, circuit breaker, dry-run |
| Channels | Web UI, Telegram, WhatsApp, Discord, Slack, Matrix, Nostr, Teams, API [moltis-website] |
| Auth | Password, passkey (WebAuthn), API keys |
| Cron | Natural-language scheduled tasks |
| Calendar | CalDAV integration for events and reminders [moltis-website] |
| OpenClaw import | One-click migration; OpenClaw plugin compatibility [moltis-website] |
| Observability | Prometheus metrics, OpenTelemetry tracing [penso-moltis-announcement] |
| Cloud deploy | One-click Fly.io, DigitalOcean, Render |
Architecture
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Web UI │ │ Telegram │ │ Discord │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
└────────────┬──────┴──────┬────────────┘
▼
┌────────────────────┐
│ Gateway Server │
│ (Axum HTTP/WS) │
├────────────────────┤
│ Agent Runner │
│ Tool Registry │
│ Provider Registry │
├────────────────────┤
│ Sessions │ Memory │
└────────┬───────────┘
▼
┌───────────────┐
│ Sandbox │
│ Docker/Apple │
└───────────────┘
Strengths
- Single binary — Download and run, no dependency hell
- Rust quality — Type-safe, memory-safe, production-ready
- Full sandboxing — Per-session Docker/Podman/Apple Container isolation
- Security-first posture — Keys never leave your machine; no plugin marketplace as a supply-chain attack surface [moltis-website]
- MCP native — First-class MCP tool server support
- Feature complete — Voice, memory, hooks, cron, calendar, OAuth, auth
- Active maintenance — Roughly weekly releases through June 2026 [moltis-releases]
- Cloud-ready — One-click deploy configs for major platforms
Cautions
- Smaller community — 2.7K stars vs OpenClaw's 160K+
- Rust doesn't fix prompt injection — HN commenters pushed back that memory safety addresses supply-chain risk, not agent-level risks; one warned "all this molt stuff is yolo for life on all things you give it access to" [moltis-show-hn]
- Rust compilation — Slower builds than TypeScript if building from source
- Fewer integrations — Eight channels, not 50+ like OpenClaw
- Less ecosystem — Fewer skills/plugins available (partly offset by OpenClaw plugin compatibility)
What Developers Say
From the Show HN launch thread (131 points, 52 comments) [moltis-show-hn]:
"Everything is so polished and it's not full of half baked features... the core is solid." — P2Chill
"Your take has all the pain points of openclaw fixed!" — michelsedgh
"Lots of stuff about how it's built and absolutely nothing about how it's useful to me." — CGamesPlay
The split is consistent: praise for build quality and onboarding versus OpenClaw, skepticism about whether Rust's safety story extends to prompt injection and agent permissions.
Bottom Line
Moltis is what you get if you rebuild OpenClaw from scratch in Rust with a focus on self-contained, secure-by-default deployment. The single-binary approach is genuinely appealing — no npm, no Python, no dependency conflicts — and the project has real momentum: stars doubled to 2.7K between February and June 2026, with near-weekly releases and one-click OpenClaw migration capitalizing on the January security disclosures [moltis-github] [moltis-releases]. If you want OpenClaw-style features with Rust's reliability and don't need 50+ messaging channels, Moltis is worth considering.
Recommended for: Users who want OpenClaw features in a single compiled binary with proper sandboxing.
Not recommended for: Those who need extensive channel integrations or a large plugin ecosystem.
Research by Ry Walker Research • methodology