Skip to content

Add secure-agent-payments skill#35

Open
theyavuzarslan wants to merge 1 commit into
circlefin:masterfrom
theyavuzarslan:add-secure-agent-payments-skill
Open

Add secure-agent-payments skill#35
theyavuzarslan wants to merge 1 commit into
circlefin:masterfrom
theyavuzarslan:add-secure-agent-payments-skill

Conversation

@theyavuzarslan

@theyavuzarslan theyavuzarslan commented Jul 6, 2026

Copy link
Copy Markdown

This adds a secure-agent-payments skill for hardening agents that spend money over x402 or the Circle agent wallet.

The existing agent-payment skills cover setup (use-agent-wallet), the pay flow (pay-via-agent-wallet), funding (fund-agent-wallet), and wallet-side spending limits (agent-wallet-policy). Wallet-side limits cap what a compromised agent can lose, but nothing today covers securing the agent itself: keeping keys out of the model's context, deciding whether a payment parameter that arrived from a web page or tool output can be trusted, re-verifying an endpoint before paying it, and enforcing budgets in the agent's own code. That inner layer is what this skill adds. It's written to complement agent-wallet-policy rather than replace it; the point is to have both.

What's in it:

  • sign through the Circle agent wallet CLI session, so raw keys never end up in agent context, prompts, logs, or generated code
  • a provenance gate for payment parameters from untrusted content (web pages, social posts, tool outputs, x402 discovery listings): they have to clear an allowlist, a direct 402 re-fetch, or human confirmation before the agent acts on them
  • endpoint verification: re-request the 402 challenge from the canonical URL and check price, asset, and chain within tolerance, rejecting seller-driven redirects and price spikes
  • per-payment, per-session, and per-minute budget caps enforced in code, with a kill switch
  • append-only audit logging that never records secrets
  • halting the payment loop on anomalies instead of retrying

These map to real incidents: key exfiltration (Banana Gun, ~$3M; a Telegram bot key leak, ~$200K; malicious MCP routers stealing credentials, ~$500K), prompt-injection drains (the Grok/Bankr reply injection, ~$200K; AIXBT via malicious social replies, ~55 ETH), and semantic manipulation of payment logic (Freysa, ~$47K through approveTransfer).

The skill follows the existing format: frontmatter with triggers, overview, prerequisites, quick reference table, core concepts, numbered implementation patterns in framework-agnostic TypeScript, security rules, next-step cross-references, reference links, and the standard disclaimer. Code stays generic (plain fetch and viem-style types), and volatile SDK details defer to the Circle MCP server. A row for the README skills table is included.

@theyavuzarslan theyavuzarslan force-pushed the add-secure-agent-payments-skill branch from 72bd2b0 to 3d8170a Compare July 13, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant