Security architecture
Nymiria is designed so that the attack surfaces that have compromised other AI agent tools simply don’t exist. Here’s exactly how.
No gateway, no exposure
Nymiria has no local WebSocket server, no open port, and no loopback listener. Agent execution lives inside the app process — completely unreachable from the browser or web.
Keys stay in your OS keychain
API keys are stored using your operating system's native credential store (Keychain on macOS, Credential Manager on Windows, libsecret on Linux). They are never written to disk in plaintext.
Zero telemetry by default
Nymiria does not phone home, collect usage analytics, or transmit session data. The only outbound connections are the AI provider calls you explicitly initiate.
Local-first data model
Your conversations, memory, and project state live in a local SQLite database. Nothing syncs to a cloud server unless you explicitly enable multi-device mode.
BYOK — bring your own keys
You authenticate directly with each AI provider using your own account. Nymiria is never in the token path and cannot see or intercept your provider responses.
Local inference mode
Flip one switch and all requests route exclusively to Ollama or llama.cpp on your machine. A status indicator confirms zero bytes leave the device while the mode is active.
How Nymiria compares
Referencing the ClawJacked vulnerability in OpenClaw and similar gateway-based agents.
Responsible disclosure
Found a security issue? Email security@nymiria.com. We respond within 48 hours and will credit researchers who report valid issues.