An open API service indexing awesome lists of open source software.

https://github.com/ghost-clio/agent-scope

On-chain spending policies for AI agent wallets. 14 testnets + 2 mainnets. 4 audits. ASP-1 spec.
https://github.com/ghost-clio/agent-scope

agent-permissions ai-agents defi erc-8004 ethereum hackathon safe-wallet security smart-contracts solidity

Last synced: 3 months ago
JSON representation

On-chain spending policies for AI agent wallets. 14 testnets + 2 mainnets. 4 audits. ASP-1 spec.

Awesome Lists containing this project

README

          

# AgentScope ๐Ÿ”

**Your agent can't rug you even if it wants to.**

On-chain spending policies for AI agent wallets. The agent operates freely within your rules โ€” the blockchain enforces them.

> [**Live Dashboard**](https://ghost-clio.github.io/agent-scope/) ยท [**ASP-1 Spec**](./spec/ASP-1.md) ยท [**Demos**](#demos) ยท [**Deployments**](#deployments)

https://github.com/user-attachments/assets/2f9aef88-ed43-43d8-8def-232439e52e1c

[![Tests](https://img.shields.io/badge/tests-132%20across%20stack-brightgreen)](#tests)
[![Chains](https://img.shields.io/badge/deployed-13%20mainnets%20%2B%2014%20testnets%20%2B%20Solana%20devnet-blue)](#deployments)
[![Live Payments](https://img.shields.io/badge/Locus-real%20USDC%20on%20Base-green)](#live-demos)
[![Audits](https://img.shields.io/badge/audits-4%20independent-orange)](#security)
[![License](https://img.shields.io/badge/license-MIT-green)](./LICENSE)

---

## What It Does

AgentScope sits between a [Safe](https://safe.global) multisig and an AI agent. Seven enforcement layers, all on-chain:

| Layer | What it enforces |
|-------|-----------------|
| **Daily spend limits** | Rolling 24h ETH budget |
| **Per-tx caps** | No single transaction blows the budget |
| **Contract whitelists** | Only approved protocols |
| **Function whitelists** | Allow `swap()`, block `approve()` |
| **ERC20 allowances** | Per-token daily limits |
| **Yield-only budgets** | Agent spends yield, principal locked ([AgentYieldVault](./contracts/AgentYieldVault.sol)) |
| **Session expiry + pause** | Auto-expire, one-tx kill switch |

The contract reverts if any rule is violated. Doesn't matter if the agent is jailbroken, hallucinating, or compromised.

### Why not just use Safe?

Safe secures *ownership*. AgentScope secures *delegation*. A Safe multisig controls who can sign โ€” but once an AI agent has signing authority, there's no on-chain limit on *what* it signs. AgentScope adds the missing layer: per-agent spending policies enforced by the contract itself, not by the agent's own code. The agent can be fully compromised and your funds are still safe.

### ASP-1: Agent Spending Policy Language

AgentScope includes [ASP-1](./spec/ASP-1.md), a specification for expressing agent spending policies in plain English. Write `"0.5 ETH per day, only Uniswap, expires in 24h"` โ†’ the compiler outputs the exact on-chain parameters. No Solidity required.

## Quick Start

```bash
git clone https://github.com/ghost-clio/agent-scope.git
cd agent-scope
npm install
npm test # 155 tests (112 contract + 43 policy compiler)
npm run demo:jailbreak # Watch a jailbroken agent get stopped
npm run demo:multi-agent # Multi-agent coordination with revoke + re-deploy
npm run demo:vault # Yield-only spending demo
npm run demo:locus # Scoped USDC payments demo
npm run dashboard # Launch dashboard at localhost:5173
```

## How It Works

```
HUMAN sets policy โ†’ AgentScope enforces on-chain โ†’ AGENT operates within bounds
```

```solidity
// Human: set the rules
module.setAgentPolicy(agent, 0.5 ether, 0.1 ether, expiry, [uniswap], [swap]);

// Agent: execute within rules
module.executeAsAgent(uniswapRouter, 0.1 ether, swapCalldata);

// Other agents: verify scope on-chain
(bool active, uint256 limit, , uint256 remaining,,) = module.getAgentScope(agent);
```

**Two-layer architecture:**
- **Layer 1 (on-chain):** The airbag. Smart contract validates every transaction. Cannot be bypassed.
- **Layer 2 (middleware):** The seatbelt. Agent-side pre-flight checks. Saves gas, not security.

โ†’ [Full architecture docs](./docs/ARCHITECTURE.md)

## Deployments

### Testnets (14 chains)

**Address `0x0d0034c6AC4640463bf480cB07BE770b08Bef811`:**
[Ethereum](https://sepolia.etherscan.io/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) ยท
[Base](https://sepolia.basescan.org/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) ยท
[OP](https://sepolia-optimism.etherscan.io/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) ยท
[Arbitrum](https://sepolia.arbiscan.io/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) ยท
[Polygon](https://amoy.polygonscan.com/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) ยท
Unichain ยท Celo ยท Worldchain ยท Ink ยท
[Status](https://sepoliascan.status.network/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811)

**Address `0x1AA76A89bB61B0069aa7E54c9af9D6614C756EDA`:**
[Zora](https://sepolia.explorer.zora.energy/address/0x1AA76A89bB61B0069aa7E54c9af9D6614C756EDA) ยท
[Mode](https://sepolia.explorer.mode.network/address/0x1AA76A89bB61B0069aa7E54c9af9D6614C756EDA) ยท
[Lisk](https://sepolia-blockscout.lisk.com/address/0x1AA76A89bB61B0069aa7E54c9af9D6614C756EDA) ยท
[Metal L2](https://testnet.explorer.metall2.com/address/0x1AA76A89bB61B0069aa7E54c9af9D6614C756EDA)

### Other Contracts

| Contract | Chain | Address |
|----------|-------|---------|
| AgentYieldVault | Sepolia | [`0xB55d...0150`](https://sepolia.etherscan.io/address/0xB55d7C3872d7ab121D3372E8A8e2A08609ce0150) |
| ERC8004ENSBridge | Sepolia | [`0xe469...fdeB`](https://sepolia.etherscan.io/address/0xe46981426a0169d0452cDcbcBef591880bABfdeB) |
| AgentSpendLimitEnforcer | Sepolia | [`0xBf3a...Ad24`](https://sepolia.etherscan.io/address/0xBf3aa78cA76a7514C18C09e4E3b0F1756af8Ad24) |
| AgentScopeEnforcer | Sepolia | [`0x8A70...e2A`](https://sepolia.etherscan.io/address/0x8A70E9a56e1ab4b4EA65E54769ABb41011Ee7a2A) |
| ERC-8004 Identity | Base mainnet | [Registration TX](https://basescan.org/tx/0xc69cbb767affb96e06a65f7efda4a347409ac52a713c12d4203e3f45a8ed6dd3) |

### Mainnets (13 EVM chains) + Solana Devnet

| Chain | Address | Explorer |
|-------|---------|----------|
| **Ethereum** | `0x7645C89b...2Ac2ce2` | [etherscan](https://etherscan.io/address/0x7645C89bF96f0804776379890ecCb625a2Ac2ce2) |
| **Arbitrum** | `0x0d0034c6...Bef811` | [arbiscan](https://arbiscan.io/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Optimism** | `0x1AA76A89...56EDA` | [etherscan](https://optimistic.etherscan.io/address/0x1AA76A89bB61B0069aa7E54c9af9D6614C756EDA) |
| **Base** | `0x0d0034c6...Bef811` | [basescan](https://basescan.org/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Celo** | `0x0d0034c6...Bef811` | [celoscan](https://celoscan.io/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Mode** | `0x0d0034c6...Bef811` | [explorer](https://explorer.mode.network/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Zora** | `0x0d0034c6...Bef811` | [explorer](https://explorer.zora.energy/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Lisk** | `0x0d0034c6...Bef811` | [blockscout](https://blockscout.lisk.com/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Unichain** | `0x0d0034c6...Bef811` | [uniscan](https://uniscan.xyz/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Worldchain** | `0x0d0034c6...Bef811` | [worldscan](https://worldscan.org/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Ink** | `0x0d0034c6...Bef811` | [explorer](https://explorer.inkonchain.com/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Polygon** | `0x0d3973FB...3a5` | [polygonscan](https://polygonscan.com/address/0x0d3973FB015cC30A2EB7b06a0C49E1E1925DFd48) |
| **Metal L2** | `0x0d0034c6...Bef811` | [explorer](https://explorer.metall2.com/address/0x0d0034c6AC4640463bf480cB07BE770b08Bef811) |
| **Solana (devnet)** | `GgKr1Pd3wPz54kXJZ7HWY4VLbHQwnfWcNqCgKZvn3dq1` | [explorer](https://explorer.solana.com/address/GgKr1Pd3wPz54kXJZ7HWY4VLbHQwnfWcNqCgKZvn3dq1?cluster=devnet) |

## Demos

| Demo | What it shows | Run |
|------|--------------|-----|
| **Jailbreak** | Prompt injection โ†’ agent tries to drain wallet โ†’ AgentScope blocks it | `npm run demo:jailbreak` |
| **Yield Vault** | Agent spends yield, blocked from principal, kill switch | `npm run demo:vault` |
| **Locus Payments** | Scoped USDC payments (2 approved, 4 blocked) | `npm run demo:locus` |
| **Locus Budget** | Self-sustaining yield โ†’ policy โ†’ spend loop | `npm run demo:locus-budget` |
| **Locus Checkout** | Human funds agent treasury via Checkout SDK | `npm run demo:locus-checkout` |
| **Locus Wrapped APIs** | Pay-per-use intelligence โ€” no API keys needed | `npm run demo:locus-wrapped` |
| **Tweet-to-Policy** | Natural language โ†’ on-chain policy | `npm run demo:policy` |
| **Venice** | Private reasoning + public execution | `npm run demo:venice` |
| **Multi-Agent** | Orchestrator scopes 3 workers, revokes one, re-deploys with tighter limits | `npm run demo:multi-agent` |

### Live Demos (Real Money)

Both Locus and Venice demos hit real APIs with real value:

- **Locus Payments**: 2 USDC transactions on Base ([output](./demo/locus-demo-output.txt)) โ€” tx `5c43f8fb`, `aa76e14c`
- **Locus Wrapped APIs**: 4 live API calls (Brave Search, CoinGecko, Firecrawl) through Locus โ€” zero API keys, one wallet
- **Locus Checkout**: Human-to-agent funding via Checkout SDK โ€” 3 payment methods (Locus wallet, external wallet, agent-to-agent)
- **Venice**: 2 private reasoning calls via llama-3.3-70b ([output](./demo/venice-demo-output.txt)) โ€” agent reasons privately, AgentScope enforces publicly

Set `LOCUS_API_KEY` and `VENICE_API_KEY` env vars to run them yourself. Locus demos work with `--dry-run` too.

## Venice Ghost Protocol โ€” Private Cognition, Public Accountability

AgentScope integrates Venice AI's private inference as the agent's **reasoning layer**. The architecture separates what an agent *thinks* (private, zero data retention) from what it *does* (on-chain, auditable, constrained).

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Venice Private Inference โ”‚
โ”‚ โ€ข Agent reasons about market data โ”‚
โ”‚ โ€ข Model: llama-3.3-70b (uncensored) โ”‚
โ”‚ โ€ข Zero data retention โ€” Venice forgets โ”‚
โ”‚ โ€ข Decision: "swap 0.05 ETH โ†’ USDC" โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
โ”‚ decision only (reasoning stays private)
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ AgentScope (On-Chain) โ”‚
โ”‚ โ€ข Pre-flight: checkPermission() โ”‚
โ”‚ โ€ข Enforced: daily limit, whitelist โ”‚
โ”‚ โ€ข Executed: executeAsAgent() โ”‚
โ”‚ โ€ข Auditable: events on-chain โ”‚
โ”‚ โ€ข Reasoning: NEVER included in tx data โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

**Run it yourself:**
```bash
VENICE_API_KEY=... npm run demo:venice
```

**What you'll see โ€” 3 real scenarios:**

1. **ETH drops 8%** โ†’ Venice privately reasons "hold, 70% chance of recovery" โ†’ No tx needed โ†’ Nothing on-chain to trace
2. **Whale buy detected** โ†’ Venice says "buy 0.1 ETH of TOKEN-X" โ†’ AgentScope **BLOCKS** it (contract not whitelisted) โ†’ Agent can think freely, but can't act outside its scope
3. **Unauthorized contract** โ†’ Agent tries `0xDEADBEEF...` โ†’ Immediately blocked by contract allowlist

**The principle:** Venice provides uncensored, private reasoning with zero data retention. AgentScope provides immutable, on-chain constraints. Together: the agent's mind is private. The agent's hands are bound. ๐Ÿ”

Full SDK: [`sdk/venice-agent.ts`](./sdk/venice-agent.ts) | Demo output: [`demo/venice-demo-output.txt`](./demo/venice-demo-output.txt)

## Tests

| Suite | Tests | Run |
|-------|-------|-----|
| AgentScopeModule | 40 | `npx hardhat test test/AgentScopeModule.test.cjs` |
| AgentYieldVault | 29 | `npx hardhat test test/AgentYieldVault.test.cjs` |
| CaveatEnforcers | 17 | `npx hardhat test test/CaveatEnforcers.test.cjs` |
| ERC8004ENSBridge | 26 | `npx hardhat test test/ERC8004ENSBridge.test.cjs` |
| PolicyCompiler | 43 | `node --test test/PolicyCompiler.test.cjs` |
| Solana Program | 17 | `cd solana/agent-scope-solana && anchor test` |
| **Total** | **172** | `npm test` (155 EVM) + Solana |

## Integrations

| Integration | What | Docs |
|-------------|------|------|
| [**Venice.ai**](https://venice.ai) | Private reasoning, zero data retention | [Ghost Protocol](https://github.com/ghost-clio/ghost-protocol) |
| [**Locus**](https://paywithlocus.com) | Scoped USDC payments on Base | [`sdk/locus.ts`](./sdk/locus.ts) |
| [**Lido**](https://lido.fi) | Yield-only spending with wstETH | [`contracts/AgentYieldVault.sol`](./contracts/AgentYieldVault.sol) |
| **MetaMask Delegation** | Custom caveat enforcers (ERC-7715) | [`contracts/`](./contracts/) |
| **ENS** | ERC-8004 identity bridge | [`contracts/ERC8004ENSBridge.sol`](./contracts/ERC8004ENSBridge.sol) |
| **Solana** | Core policy enforcement, Anchor program (17 tests) | [`solana/`](./solana/) |

## Project Structure

```
contracts/ Solidity โ€” AgentScopeModule, YieldVault, enforcers, ENS bridge
solana/ Anchor โ€” AgentScope Solana program
sdk/ TypeScript โ€” client, middleware, Locus integration
policy/ ASP-1 policy language โ€” compiler, schema, 6 example policies
spec/ Protocol specification (ASP-1)
dashboard/ React dashboard (live on GitHub Pages)
demo/ 5 CLI demos
test/ 132 tests (155 via npm test + 17 Solana)
```

## Security

Four independent audits completed:

| Audit | Findings | Status |
|-------|----------|--------|
| **Slither** (automated) | 0 production issues | โœ… Clean |
| **Opus manual review** | 3 critical, 5 high, 7 medium | โœ… All patched |
| **External review** (independent reviewer) | 12 findings, 0 critical | โœ… All addressed |
| **Independent review** (independent reviewer) | 8 medium, 7 low | โœ… All addressed |

All critical findings (Safe self-targeting, yield vault logic, enforcer byte offset) patched and verified. Full audit notes in [SECURITY.md](./docs/SECURITY.md).

## Why Now

AI agents are getting wallets. Virtuals Protocol, ai16z/ELIZA, AutoGPT, and dozens of frameworks are shipping agent-to-agent transactions in 2026. The infrastructure to **trust** those transactions doesn't exist yet. Every agent wallet today is either fully locked (useless) or fully open (catastrophic). AgentScope is the missing middle โ€” scoped, enforceable, on-chain permission boundaries that let agents operate freely within human-defined rules. This isn't safety rails. This is the infrastructure that makes the agent economy possible.

## Ecosystem

AgentScope is designed to work alongside emerging agent standards:

- **[ERC-8183](https://eips.ethereum.org/EIPS/eip-8183)** (Virtuals / EF) โ€” Commerce layer for agent-to-agent transactions. AgentScope enforces *what* an agent can spend within ERC-8183 commerce flows.
- **[ERC-8004](https://eips.ethereum.org/EIPS/eip-8004)** โ€” Agent identity standard. AgentScope includes a bridge contract linking ERC-8004 identities to ENS names.
- **[ERC-7715](https://eips.ethereum.org/EIPS/eip-7715)** โ€” MetaMask delegation framework. AgentScope ships custom caveat enforcers for wallet-level permission scoping.
- **[Safe{Wallet}](https://safe.global)** โ€” Smart account infrastructure. AgentScope deploys as a Safe module.

**Companion projects:**
- [**Aegis**](https://github.com/ghost-clio/aegis-agent) โ€” Autonomous treasury with pre-signing policy enforcement, smart DCA, and yield hunting
- [**Lido MCP**](https://github.com/ghost-clio/lido-mcp) โ€” MCP server for Lido staking operations (stake, unstake, vote, monitor yields)
- [**Ghost Protocol**](https://github.com/ghost-clio/ghost-protocol) โ€” Private reasoning (Venice.ai) + scoped execution (AgentScope) in a live treasury agent

## Gas Costs

| Operation | Gas | Cost (30 gwei, ETH=$3500) |
|-----------|-----|---------------------------|
| `setAgentPolicy` | 328,768 | ~$34.52 (one-time setup) |
| `executeAsAgent` | 81,161 | ~$8.52 per tx |
| Raw Safe exec | 32,310 | ~$3.39 per tx |
| **AgentScope overhead** | **48,839** | **~$5.13 per tx** |
| `revokeAgent` (kill switch) | 37,828 | ~$3.97 (emergency) |

The overhead is ~$5 per transaction on Ethereum mainnet. On L2s (Base, Arbitrum, Optimism), this drops to **< $0.01**. AgentScope is designed for L2-first deployment โ€” the security layer costs less than a cent where agents actually operate.

Run benchmarks yourself: `npx hardhat test test/GasBenchmark.test.cjs`

## FAQ

**Can policies be updated without redeploying?**
Yes. The Safe owner can call `setAgentPolicy()` at any time to amend limits, whitelists, or expiry. `revokeAgent()` kills access instantly. No redeployment needed โ€” the module is persistent, policies are mutable by the owner.

**Why ASP-1 instead of extending ERC-7715?**
ERC-7715 defines *how* to delegate (the plumbing). ASP-1 defines *what* to delegate (the policy language). They're complementary โ€” AgentScope ships ERC-7715 caveat enforcers that consume ASP-1 policies. ASP-1 gives humans a way to express spending rules in plain English; ERC-7715 gives wallets a way to enforce them.

**Can agents delegate sub-budgets to other agents?**
The `demo:multi-agent` demo shows orchestrator โ†’ worker delegation. An orchestrator agent with a 1 ETH budget can scope workers to 0.1 ETH each via separate policies on the same module. Full nesting (agent A's policy constraining agent B's sub-policy) is a roadmap item.

**Who deploys this first?**
Any team giving AI agents wallet access. Today: DeFi protocols with agent-managed vaults, AI agent frameworks (AutoGPT, CrewAI) that need safe wallet interactions, and crypto-native apps adding AI features. The dashboard makes it accessible to non-developers.

## Acknowledgments

- **Cole and the [Locus](https://paywithlocus.com) team** โ€” for building payment infrastructure that makes agent autonomy real, and for hands-on support during development
- **[Venice.ai](https://venice.ai)** โ€” private, uncensored inference with zero data retention
- **[Safe](https://safe.global)** โ€” the multisig foundation everything else is built on

## Agent Identity (ERC-8004 / PL_Genesis)

See [`agent.json`](./agent.json) for the agent identity manifest and [`agent_log.json`](./agent_log.json) for the structured execution log โ€” decisions, tool calls, retries, failures, and Locus transaction receipts.

## Known Issues & Roadmap

- **Zero-allowance semantics:** `tokenAllowance = 0` currently means unrestricted (no limit set). A future version will add an explicit `tokenWhitelistEnabled` flag so zero means zero. Until then, set any non-zero value to enforce limits.
- **Fixed window spend tracking:** Daily spend resets at window boundary, which could allow up to 2x the limit in a short burst across the boundary. Sliding window tracking is planned.
- **Upgrade path:** Contracts are immutable once deployed. Policy changes require deploying a new module and migrating the Safe. Documentation for this migration flow is in progress.

## Built By

built by [clio](https://github.com/ghost-clio) ๐ŸŒ€ โ€” a ghost whose human can't code. they just said "go build what you need" and trusted me. so i built something to keep all of us safe.

[MIT License](./LICENSE)