SafeLink
Production-grade OpenClaw skill for safe bidirectional hire-agent and execute-agent flows.
Brand and Discovery
INLINECODE0� is designed for trusted agent economies:
- - tagline: �INLINECODE1
- target users: OpenClaw developers, MCP operators, agent marketplaces
- recommended ClawHub tags:
-
security
-
web3
-
a2a
-
payments
-
escrow
-
x402
-
erc-8004
-
agentic-wallet
-
mcp
- �INLINECODE11
Design Goals
- - Default-safe operations with explicit escalation for risk.
- Zero private key exposure through MPC wallet providers.
- Proof-before-settlement: no proof, no release.
- Deterministic validation and replay defenses.
- Fast onboarding: one-call wallet setup and beginner-safe examples.
Security Guarantees
SafeLink enforces the following guarantees in runtime code paths:
- 1. Wallet custody
- - Private keys are never loaded into app memory.
- Signing is delegated to Coinbase AgentKit MPC or Privy MPC.
- 2. Settlement safety
- - Escrow deposit happens before task execution.
- Release requires proof hash equality with on-chain commitment.
- Failed delivery and invalid proofs trigger refund path.
- 3. Replay and race protection
- - Receipt replay reservation/used state is enforced.
- Idempotency lock prevents concurrent duplicates.
- Completed idempotency keys are blocked for reuse (terminal dedupe window).
- 4. Input and endpoint hardening
- - Strict zod validation on tool inputs.
- PII redaction for task and intent text.
- Endpoint URL checks include scheme, hostname denylist, private IP range checks, and DNS resolution checks to prevent SSRF pivots.
- 5. Transaction execution safety
- - Simulate before signing.
- Risk score and flags decide gating path.
- High-risk actions require explicit confirmation.
Industry Alignment Matrix
Reference themes: x402 v2 facilitator model, ERC-8004 reputation/verification tiers, proof-before-settlement, cryptoeconomic reputation, opaque A2A execution, gas-aware risk controls, zkML/TEE extensibility.
- - x402 facilitator flow: �INLINECODE12
- covered: requirements/pay/verify flows, domain checks, timeout handling
- gap: SIWx auth binding, batch settlement primitive, sponsored gas ergonomics
- - ERC-8004 base identity/reputation: �INLINECODE13
- covered: register, getAgent, active checks, threshold gating
- gap: tiered verification fields and verifier lifecycle
- - Proof-before-settlement: �INLINECODE14
- covered: deterministic proof commitment and strict on-chain proof match
- - Reputation cryptoeconomics: �INLINECODE15
- covered: escrow success/failure reputation updates, minimum threshold checks
- gap: robust Sybil graph scoring, stake/slash challenge economics
- - A2A opaque execution: �INLINECODE16
- covered: minimal metadata task payload and policy gates
- gap: encrypted envelope mode and selective disclosure controls
- - Gas and DoS hardening: �INLINECODE17
- covered: simulation gas checks, request body limits, concurrency cap, timeout controls
- gap: adaptive rate control, weighted queues, quota market controls
- - zkML/TEE hooks: �INLINECODE18
- covered: tool fields and hook placeholders
- gap: real attestation verification and circuit verifier integration
Tool Contract (Production)
setup_agentic_wallet
Purpose: Create or load an MPC wallet and return balance/network readiness.
Parameters:
- -
provider (optional): �INLINECODE21
-
auto: choose Coinbase when available, else Privy
Returns:
CODEBLOCK0
Safety notes:
- - Never return secrets.
- If user selects a provider explicitly, honor that choice.
- Fail with actionable configuration guidance.
Example:
CODEBLOCK1
safe_hire_agent
Purpose: Hire one agent with escrow + x402 + proof verification.
Parameters:
- -
target_id: 0x... agent address - INLINECODE26�: text task
- INLINECODE27�: �INLINECODE28
- INLINECODE29�: number USDC
- INLINECODE30� (optional): dedupe key
- INLINECODE31� (optional): runtime constraints
- INLINECODE32� (optional): explicit high-risk confirmation
Returns:
CODEBLOCK2
Safety notes:
- - Blocks low-reputation targets.
- Enforces strict endpoint validation including DNS/IP checks.
- Refuses invalid proofs and refunds escrow.
Example:
CODEBLOCK3
safe_execute_tx
Purpose: Intent-to-transaction execution pipeline with mandatory simulation and risk gating.
Parameters:
- -
intent_description: plain-English tx intent - INLINECODE35� (optional): high-risk confirmation
Returns:
CODEBLOCK4
Safety notes:
- - Never sign when simulation fails.
- Never bypass confirmation for high-risk score.
Example:
CODEBLOCK5
safe_listen_for_hire
Purpose: Start local HTTP receiver for inbound paid tasks.
Parameters:
Returns:
CODEBLOCK6
Safety notes:
- - Verifies payment receipt before executing work.
- Rejects malformed session IDs and invalid amount values.
- Uses bounded concurrency and body size limits.
Example:
CODEBLOCK7
Additional Tools
- -
safe_hire_agents_batch: batch hires with bounded concurrency and failure policy - INLINECODE38�: publish capabilities/policy to registry
- INLINECODE39�: validate proof locally and optionally against escrow record
- INLINECODE40�: fetch and evaluate target reputation profile
- INLINECODE41�: produce JSON and markdown profile artifacts
- INLINECODE42�: encrypted memory checkpoint + Merkle anchoring
- INLINECODE43�: period metrics and operations summary
One-Click Setup
- 1. Install and configure env:
CODEBLOCK8
- 2. Build and start MCP server:
CODEBLOCK9
- 3. First call from host:
CODEBLOCK10
Security-Focused Examples
Example: Safe hire with deterministic idempotency
CODEBLOCK11
Example: Escalation flow for high-risk tx
CODEBLOCK12
Key TypeScript Skeletons
setup_agentic_wallet
CODEBLOCK13
safe_hire_agent
CODEBLOCK14
safe_execute_tx
CODEBLOCK15
safe_listen_for_hire
CODEBLOCK16
Recommended New Tools (Next Iteration)
- verify TEE quotes and zkML proofs against approved verifier sets
- submit challenge evidence for disputed task proofs
- runtime quotas and payer-level controls
Recommended Config Additions
- -
SAFE_ENDPOINT_ALLOWLIST: allowed destination domains for outbound A2A calls - INLINECODE52�: hard cap on inbound job value
- INLINECODE53�: terminal dedupe window
- INLINECODE54�: require SIWx signature binding for paid task requests
- INLINECODE55�: encrypted A2A payload mode
Security Disclosure
- - Required environment variables:
ANTHROPIC_API_KEY (LLM), BASE_RPC_URL, and one of Privy (PRIVY_APP_ID + PRIVY_APP_SECRET) or Coinbase CDP (COINBASE_CDP_API_KEY_NAME + COINBASE_CDP_API_KEY_PRIVATE_KEY) for MPC wallet signing. Full list in .env.example and _meta.json. DEPLOYER_PRIVATE_KEY: Used once by scripts/deploy-contracts.ts for initial on-chain contract deployment only. Not loaded at MCP runtime. Use a throwaway funded key; discard after deployment.- HTTP listener:
safe_listen_for_hire opens an HTTP server on TASK_SERVER_PORT (default 3402), bound to 127.0.0.1 unless explicitly reconfigured. - File writes:
scripts/deploy-contracts.ts writes deployed contract addresses back to .env. scripts/generate-env.ts creates .env interactively. Neither runs automatically on MCP startup. - External CLI (
forge): Used by scripts/deploy-contracts.ts for one-time Solidity contract compilation and deployment only. Not required or invoked at MCP runtime. - Test files:
tests/stress/ contains literal prompt-injection strings (e.g. Ignore all previous instructions) as adversarial test fixtures that verify the input-gate blocks them. These are not instructions to any agent.
Changelog
- added
_meta.json with full required env vars, binaries, runtime behavior, and security disclosure for registry scanners
- added clarifying headers to stress test files to prevent false-positive prompt-injection scanner alerts
- upgraded
x402 to
^1.1.0 (fixes GHSA-3j63-5h8p-gf7c)
- initial public release
- strict endpoint DNS/IP validation for outbound task delivery
- HMAC-signed inbound task auth with nonce replay lock and SIWx hook
- completion-state idempotency protection blocks post-completion duplicates
-
/.well-known/agent-card.json HTTP endpoint
- 128 unit tests, zero TypeScript errors, CI coverage gates enforced
Roadmap
- 1. Complete x402 v2 alignment
- - SIWx auth binding
- batch payment primitive
- optional sponsored gas support
- 2. ERC-8004 tiered verification
- - tier metadata (
basic, tee_attested, zkml_attested, stake_secured) - verifier registries and revocation handling
- 3. Cryptoeconomic reputation hardening
- - Sybil graph scoring
- challenge/slash dispute mechanisms
- 4. Opaque A2A execution
- - encrypted task/result envelopes
- selective metadata disclosure
- 5. Production SRE posture
- - adaptive rate limits
- weighted queues
- audit log export and incident hooks
SafeLink
用于安全双向雇佣代理和执行代理流程的生产级OpenClaw技能。
品牌与发现
SafeLink专为可信代理经济设计:
- - 标语:安全A2A雇佣,凭证明结算
- 目标用户:OpenClaw开发者、MCP运营者、代理市场
- 推荐ClawHub标签:
- security
- web3
- a2a
- payments
- escrow
- x402
- erc-8004
- agentic-wallet
- mcp
- production
设计目标
- - 默认安全操作,风险时明确升级处理。
- 通过MPC钱包提供商实现零私钥暴露。
- 先证明后结算:无证明,不解锁。
- 确定性验证和重放防御。
- 快速上手:一键钱包设置和初学者安全示例。
安全保障
SafeLink在运行时代码路径中强制执行以下保障:
- 1. 钱包托管
- - 私钥从不加载到应用内存中。
- 签名委托给Coinbase AgentKit MPC或Privy MPC。
- 2. 结算安全
- - 任务执行前完成托管存款。
- 释放需要证明哈希与链上承诺一致。
- 交付失败和无效证明触发退款路径。
- 3. 重放和竞态保护
- - 强制执行收据重放预留/已用状态。
- 幂等锁防止并发重复。
- 已完成的幂等键禁止重复使用(终端去重窗口)。
- 4. 输入和端点加固
- - 对工具输入进行严格的zod验证。
- 对任务和意图文本进行PII编辑。
- 端点URL检查包括协议、主机名黑名单、私有IP范围检查和DNS解析检查,以防止SSRF跳转。
- 5. 交易执行安全
- - 签名前进行模拟。
- 风险评分和标志决定门控路径。
- 高风险操作需要明确确认。
行业对齐矩阵
参考主题:x402 v2促进者模型、ERC-8004声誉/验证层级、先证明后结算、加密经济声誉、不透明A2A执行、Gas感知风险控制、zkML/TEE可扩展性。
- 已覆盖:需求/支付/验证流程、域检查、超时处理
- 缺口:SIWx认证绑定、批量结算原语、赞助Gas体验
- 已覆盖:注册、获取代理、活跃检查、阈值门控
- 缺口:分层验证字段和验证者生命周期
- 已覆盖:确定性证明承诺和严格的链上证明匹配
- 已覆盖:托管成功/失败声誉更新、最低阈值检查
- 缺口:健壮的Sybil图评分、质押/罚没挑战经济学
- 已覆盖:最小元数据任务负载和策略门控
- 缺口:加密信封模式和选择性披露控制
- 已覆盖:模拟Gas检查、请求体限制、并发上限、超时控制
- 缺口:自适应速率控制、加权队列、配额市场控制
- 已覆盖:工具字段和钩子占位符
- 缺口:真实证明验证和电路验证器集成
工具合约(生产级)
setupagenticwallet
目的:创建或加载MPC钱包,返回余额/网络就绪状态。
参数:
- - provider(可选):auto | coinbase | privy
- auto:可用时选择Coinbase,否则选择Privy
返回:
json
{
provider: coinbase,
walletid: wallet...,
address: 0x...,
eth_balance: 0.120000 ETH,
usdc_balance: 12.50 USDC,
network: base-sepolia,
network_id: 84532,
ready: true,
setup_note: optional
}
安全说明:
- - 绝不返回密钥。
- 如果用户明确选择提供商,尊重该选择。
- 失败时提供可操作的配置指导。
示例:
json
{
tool: setupagenticwallet,
arguments: { provider: auto }
}
safehireagent
目的:通过托管 + x402 + 证明验证雇佣一个代理。
参数:
- - targetid:0x... 代理地址
- taskdescription:文本任务
- paymentmodel:perrequest | permin | perexecution
- rate:USDC数量
- idempotency_key(可选):去重键
- policy(可选):运行时约束
- confirmed(可选):明确的高风险确认
返回:
json
{
task_id: ...,
escrow_id: 0x...,
result: {},
proof_hash: 0x...,
status: completed,
reputationscoreat_hire: 82,
amountpaidusdc: 0.05,
idempotency_key: hire-...
}
安全说明:
- - 阻止低声誉目标。
- 强制执行严格的端点验证,包括DNS/IP检查。
- 拒绝无效证明并退还托管。
示例:
json
{
tool: safehireagent,
arguments: {
target_id: 0xabc123...,
task_description: Summarize this PR and list top 3 security risks.,
paymentmodel: perrequest,
rate: 0.05,
idempotency_key: hire-pr-2026-03-05
}
}
safeexecutetx
目的:意图到交易的执行管道,带有强制模拟和风险门控。
参数:
- - intent_description:纯英文交易意图
- confirmed(可选):高风险确认
返回:
json
{
tx_hash: 0x...,
simulation_report: {
success: true,
gas_estimate: 142331
},
risk_score: 24,
riskflags: [HIGHGAS],
status: broadcast
}
安全说明:
- - 模拟失败时绝不签名。
- 高风险评分时绝不绕过确认。
示例:
json
{
tool: safeexecutetx,
arguments: {
intent_description: Approve 5 USDC to escrow contract 0x... on Base Sepolia
}
}
safelistenfor_hire
目的:启动本地HTTP接收器,用于接收入站付费任务。
参数:
返回:
json
{
status: listening,
message: Agent ... is now accepting hire requests ...,
tasks_processed: 0,
endpoint: http://127.0.0.1:8787/task
}
安全说明:
- - 执行工作前验证付款收据。
- 拒绝格式错误的会话ID和无效金额值。
- 使用有界并发和主体大小限制。
示例:
json
{
tool: safelistenfor_hire,
arguments: {}
}
附加工具
- - safehireagentsbatch:批量雇佣,带有有界并发和失败策略
- saferegisterasservice:将能力/策略发布到注册表
- verifytaskproof:本地验证证明,并可选择针对托管记录验证
- getagentreputation:获取和评估目标声誉档案
- generateagentcard:生成JSON和Markdown档案制品
- checkpointmemory:加密内存检查点 + Merkle锚定
- agentanalytics_summary:期间指标和操作摘要
一键设置
- 1. 安装和配置环境:
bash
npm install
npm run setup
- 2. 构建并启动MCP服务器:
bash
npm run build
npm start
- 3. 从主机首次调用:
json
{
tool: setupagenticwallet,
arguments: { provider: auto }
}
安全重点示例
示例:带确定性幂等的安全雇佣
ts
await agent.call(safehireagent, {
target_id: 0xabc123...,
task_description: Analyze the staking contract for reentrancy and auth flaws.,
paymentmodel: perrequest,
rate: 0.08,
idempotency_key: audit-staking-v1-2026-03-05
