Security
Toobit Agent Trade Kit provides multiple layers of security to protect your assets and credentials.
Security Layers
| Layer | Description |
|---|---|
| Local Execution | All programs run locally. Keys are only stored in the local config file (~/.toobit/config.toml). Signatures are computed locally. AI cannot access your credentials. |
| Config Hot-Reload | The MCP server automatically detects changes to config.toml on every request (via file mtime). No restart needed after rotating API keys. Invalid configs are rejected and the previous valid config stays active. |
Read-Only Mode --read-only | Only data queries are allowed. All write tools are disabled — AI cannot execute any trades. |
Module Filtering --modules | Precisely control which modules are exposed to AI. For example, --modules market only exposes market data. |
| Smart Registration | On startup, the server detects API Key permissions. If the Key lacks trade permissions, order tools won't be registered. |
| Risk Labels | All tools involving fund operations are tagged with [CAUTION], prompting AI to confirm before execution. |
| Local Rate Limiting | Built-in token bucket rate limiter prevents overloading the Toobit API. |
| Input Sanitization | User-provided clientOrderId uses a whitelist ([a-zA-Z0-9_\-.]) to prevent CRLF injection, XSS, and Unicode bypass attacks. |
| Audit Logging | All tool calls are automatically logged to ~/.toobit/logs/ with sensitive data (signatures, etc.) redacted. |
Best Practices
Credential Security
DANGER
Never share your API Key or Secret Key with any AI model or paste it into a chat. All credentials should only be stored in the local config file (~/.toobit/config.toml).
- Use a sub-account API Key with only the minimum required permissions
- Set up IP whitelisting to restrict API Key usage
- Regularly review and rotate your API Keys
Risk Management
- Start with
--read-onlymode to familiarize yourself with features - Use
--modules marketto expose only market queries, with no trading involved - Test with
spot_place_order_testbefore actual trades - Regularly review audit logs in
~/.toobit/logs/ - AI can make mistakes — always verify order details before execution
WARNING
Users bear all risks and losses from trading operations.