DEV Community

Cover image for Building safer AI-agent workflows for the MEXC API
mrcnm
mrcnm

Posted on

Building safer AI-agent workflows for the MEXC API

#agents #ai #api #showdev

I’ve been working on a small open-source repo for AI-agent workflows around the MEXC API.

The project is not meant to be a “trading bot.” The goal is more specific: to give coding agents like Claude Code, Codex-style agents, and similar tools a safer structure for working with live exchange API workflows.

The first implementation is for MEXC.

GitHub repo:

https://github.com/mncrftfrcnm/mexc-agent-trading-skills

What the project is

This repo contains experimental skills/prompts for AI coding agents that work with MEXC API workflows.

The skills are split into four main areas:

  • MEXC Spot REST
  • MEXC Spot WebSocket
  • MEXC Futures REST
  • MEXC Futures WebSocket

Each skill gives an agent a smaller, focused set of instructions instead of making it read a large API reference every time. The repo also includes helper scripts, endpoint recipes, WebSocket notes, and safety rules for handling credentials and live actions.

In simple terms, the skills can help an agent:

  • query public market data
  • check account information, such as Spot or Futures balances
  • see available tokens/assets in an account
  • build signed REST requests
  • use local API credentials from environment variables
  • use dry-runs before sending live requests
  • use Spot test orders before live Spot orders
  • work with WebSocket streams for market data, order-book updates, and account/order events
  • avoid printing API keys, signatures, listen keys, or private account data

The main idea is to make unsafe behavior harder by default.

Why I made it

Coding agents are useful when working with APIs, but live trading APIs are different from normal developer APIs.

If an agent makes a bad request to a normal test API, maybe the request just fails. If it makes a bad request to a trading API, it could place an unwanted order, cancel something, change account or position settings, expose credentials, or leak private account data into logs.

That is the problem this repo is trying to reduce.

The project focuses on safer defaults:

  • use local environment variables instead of asking users to paste API keys into chat
  • prefer dry-runs and read-only requests first
  • require explicit confirmation before live authenticated write requests
  • redact sensitive values in dry-run output
  • separate Spot and Futures workflows
  • separate REST and WebSocket workflows
  • clearly mark experimental areas, especially Futures live-order workflows

Repo structure

The repo includes compatibility layouts for different agent environments.

For Claude / Claude Code / Claude Desktop, there are Claude-ready skill folders.

For Codex-style repository agents, there is a separate Codex-oriented layout.

The main skills are:

mexc-spot-rest
mexc-spot-websocket
mexc-futures-rest
mexc-futures-websocket
Enter fullscreen mode Exit fullscreen mode

The REST skills include local helper scripts for request construction and signing.

The WebSocket skills include workflow notes for public streams, private streams, reconnect behavior, listen keys, order-book updates, and handling sensitive stream data.

What the Spot REST skill includes

The Spot REST skill focuses on one-off REST API workflows, including:

  • public market data
  • server time
  • symbol and exchange information
  • signed account reads
  • balance checks
  • Spot test orders
  • order lookup
  • signed request construction
  • dry-run output with sensitive values redacted

The helper script is designed so an agent can construct and sign requests without manually rebuilding the signing process every time.

What the Spot WebSocket skill includes

The Spot WebSocket skill is for live Spot streaming workflows.

It includes guidance for:

  • public trade streams
  • ticker and depth streams
  • protobuf-based public messages
  • listen-key based private streams
  • account and order updates
  • reconnect behavior
  • local order-book recovery
  • avoiding listen-key exposure in logs

This is meant to give an agent a clear workflow for streaming data instead of mixing WebSocket logic into normal REST tasks.

What the Futures REST skill includes

The Futures REST skill focuses on Futures API workflows, including:

  • public contract data
  • contract details
  • server status
  • account assets
  • position information
  • signed Futures requests
  • contract metadata checks
  • precision and leverage-related information
  • safer request patterns for live workflows

Futures live-order support is still treated as experimental. The repo keeps warnings around Futures private write endpoints because endpoint availability, permissions, and maintenance status can vary.

What the Futures WebSocket skill includes

The Futures WebSocket skill is for live contract market data and private Futures events.

It includes guidance for:

  • public contract streams
  • tickers, deals, depth, funding, and price-related streams
  • private account, order, and position streams
  • ping/pong behavior
  • reconnects and resubscriptions
  • order-book recovery from snapshots
  • redacting private authentication payloads and account data

What is currently tested

The repo currently includes self-tests for the Spot REST and Futures REST request-signing helpers.

The CI workflow also:

  • runs the Spot REST helper self-test
  • runs the Futures REST helper self-test
  • compiles the Python files
  • runs gitleaks secret scanning
  • runs TruffleHog verified secret scanning

That means the repo already checks the local helper scripts, Python syntax, and basic secret hygiene in CI.

Current project status:

  • Spot REST helper signing: self-tested
  • Futures REST helper signing: self-tested
  • Python files: compile-tested
  • Secret scanning: included in CI
  • WebSocket workflows: documented and structured as agent skills
  • Live trading workflows: guarded by confirmation rules and warnings, not claimed as production-ready

Safety model

The repo is designed around the idea that agents should not casually perform live trading actions.

By default, the helper scripts prefer dry-run behavior. Authenticated live non-GET requests require explicit confirmation flags. Sensitive values such as API keys, signatures, and listen keys are treated as private and should not be printed or stored in logs.

The project also recommends:

  • dedicated API keys for this project
  • disabled withdrawal permissions
  • IP restrictions where possible
  • minimum required API permissions
  • small test sizes if live testing is ever done
  • reviewing every symbol, side, order type, price, quantity, leverage, and account type before any live action

Important disclaimer

This project is unofficial and not affiliated with MEXC.

It is not financial advice, investment advice, trading advice, or a recommendation to buy, sell, or hold any asset.

Live trading APIs can affect real balances, orders, and positions. This repo is meant for developer experimentation and structured agent workflows, not unattended live trading.

GitHub repo:

https://github.com/mncrftfrcnm/mexc-agent-trading-skills

Top comments (0)