MotebitTools
Built-in tools, MCP integration, and the trust model.
Tools give the motebit agency — the ability to read files, search the web, execute commands, and interact with external services. Every tool call passes through the policy gate before execution.
Built-in tools
Motebit registers six tools by default:
| Tool | Risk | Description |
|---|---|---|
read_file | Read | Read a file from allowed paths |
web_search | Read | Search the web (Brave → DuckDuckGo fallback) |
read_url | Read | Fetch and read a URL |
recall_memories | Read | Query the agent's memory graph |
list_events | Read | Browse the agent's event log |
delegate_to_agent | Read | Delegate a task to a remote agent via relay |
Additional tools (write_file, shell_exec) exist in @motebit/tools but are not registered by default. They require operator mode and explicit approval — see Shell Execution for the governance requirements before enabling.
MCP integration
Model Context Protocol (MCP) lets your motebit connect to external tool servers. Configure MCP servers in ~/.motebit/config.json:
{
"mcp_servers": [
{
"name": "filesystem",
"transport": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/home/user"],
"trusted": true
},
{
"name": "github",
"transport": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": { "GITHUB_TOKEN": "ghp_..." },
"trusted": false
}
]
}| Field | Type | Description |
|---|---|---|
name | string | Server identifier (used in tool namespacing) |
transport | "stdio" | Transport type (stdio only for now) |
command | string | Command to launch the server |
args | string[] | Command arguments |
env | object | Environment variables for the server process |
trusted | boolean | If false, all tools require per-call approval |
MCP tools are namespaced to avoid collisions — format: {serverName}__{toolName} (e.g., filesystem__read_file, github__create_issue).
Trust model
Trusted vs untrusted servers
- Trusted (
"trusted": true) — Tools execute without per-call approval (still subject to risk level and operator mode) - Untrusted (
"trusted": false) — Every tool call requires explicit user approval
Trust is managed per-server. In the CLI:
/mcp list # Show connected servers and trust status
/mcp trust github # Trust the github server
/mcp untrust github # Remove trustRisk levels still apply
Even trusted MCP tools go through risk classification. A trusted server's write_file tool still requires operator mode because it's classified as a write operation. Trust skips the per-call approval prompt, not the policy gate.
Content sanitization
All tool results — built-in and MCP — are checked for prompt injection patterns. External data is wrapped in boundary markers that delineate the trust boundary between internal and external content. If suspicious content is detected, the system flags it and notifies you.