Security
Kyber runs locally and gives the AI agent access to tools on your system. Here’s how to keep things locked down.
Access control
Every chat channel supports allowFrom to restrict who can interact with the bot. If allowFrom is empty, the bot responds to everyone. Always set this in production.
{
"channels": {
"discord": {
"allowFrom": ["YOUR_USER_ID"],
"allowGuilds": ["YOUR_SERVER_ID"],
"allowChannels": ["YOUR_CHANNEL_ID"]
},
"telegram": {
"allowFrom": ["YOUR_USER_ID"]
}
}
}Discord also supports allowGuilds and allowChannels for additional filtering.
Dashboard security
- The dashboard is local-only by default (
127.0.0.1) - Protected with an auto-generated bearer token
- Refuses to bind to non-local addresses without
allowedHostsconfigured - If you need remote access, use a reverse proxy with HTTPS
Shell execution
The exec tool gives the agent shell access. To limit this:
{
"tools": {
"exec": {
"timeout": 60,
"restrictToWorkspace": true
}
}
}timeoutkills commands that run too longrestrictToWorkspaceblocks commands that access paths outside the workspace
API keys
- Store API keys only in
~/.kyber/config.json - The file should be readable only by your user (
chmod 600 ~/.kyber/config.json) - Never commit config files with API keys to git
- Rotate keys if they’re ever exposed
WhatsApp session
The WhatsApp bridge stores session data locally in ~/.kyber/. This data provides full access to your WhatsApp account. Treat the entire ~/.kyber/ directory as sensitive.
Environment variables
Config values can be set via environment variables (prefix KYBER_). This is useful for deployments where you don’t want secrets in files:
export KYBER_PROVIDERS__OPENROUTER__API_KEY="sk-or-v1-xxx"
kyber gatewayVPS deployments
If running on a VPS:
- Set
allowFromon all channels - Use
restrictToWorkspace: truefor shell execution - Run the dashboard behind a reverse proxy with HTTPS
- Set
allowedHostson the dashboard if binding to0.0.0.0 - Use
loginctl enable-lingerso services survive logout - Keep
~/.kyber/permissions tight (chmod 700)