Your agent can't rug you even if it wants to.
On-chain spending policies for AI agent wallets. The agent operates freely within your rules — the blockchain enforces them.
AgentScope sits between a Safe multisig and an AI agent. Seven enforcement layers, all on-chain:
| Layer | What it enforces |
|---|---|
| Daily spend limits | Rolling 24h ETH budget |
| Per-tx caps | No single transaction blows the budget |
| Contract whitelists | Only approved protocols |
| Function whitelists | Allow swap(), block approve() |
| ERC20 allowances | Per-token daily limits |
| Yield-only budgets | Agent spends yield, principal locked (AgentYieldVault) |
| Session expiry + pause | Auto-expire, one-tx kill switch |
The contract reverts if any rule is violated. Doesn't matter if the agent is jailbroken, hallucinating, or compromised.
npm install
npm test # 155 tests (112 EVM + 43 policy compiler)
npm run demo:jailbreak # Watch a jailbroken agent get stopped
npm run demo:multi-agent # Multi-agent coordination with revoke + re-deploy
npm run demo:vault # Yield-only spending demo
npm run demo:locus # Scoped USDC payments demo
npm run dashboard # Launch dashboard at localhost:5173HUMAN sets policy → AgentScope enforces on-chain → AGENT operates within bounds
// Human: set the rules
module.setAgentPolicy(agent, 0.5 ether, 0.1 ether, expiry, [uniswap], [swap]);
// Agent: execute within rules
module.executeAsAgent(uniswapRouter, 0.1 ether, swapCalldata);
// Other agents: verify scope on-chain
(bool active, uint256 limit, , uint256 remaining,,) = module.getAgentScope(agent);Two-layer architecture:
- Layer 1 (on-chain): The airbag. Smart contract validates every transaction. Cannot be bypassed.
- Layer 2 (middleware): The seatbelt. Agent-side pre-flight checks. Saves gas, not security.
Address 0x0d0034c6AC4640463bf480cB07BE770b08Bef811:
Ethereum ·
Base ·
OP ·
Arbitrum ·
Polygon ·
Unichain · Celo · Worldchain · Ink ·
Status
Address 0x1AA76A89bB61B0069aa7E54c9af9D6614C756EDA:
Zora ·
Mode ·
Lisk ·
Metal L2
| Contract | Chain | Address |
|---|---|---|
| AgentYieldVault | Sepolia | 0xB55d...0150 |
| ERC8004ENSBridge | Sepolia | 0xe469...fdeB |
| AgentSpendLimitEnforcer | Sepolia | 0xBf3a...Ad24 |
| AgentScopeEnforcer | Sepolia | 0x8A70...e2A |
| ERC-8004 Identity | Base mainnet | Registration TX |
| Chain | Address | Explorer |
|---|---|---|
| Ethereum | 0x7645C89b...2Ac2ce2 |
etherscan |
| Arbitrum | 0x0d0034c6...Bef811 |
arbiscan |
| Optimism | 0x1AA76A89...56EDA |
etherscan |
| Base | 0x0d0034c6...Bef811 |
basescan |
| Celo | 0x0d0034c6...Bef811 |
celoscan |
| Mode | 0x0d0034c6...Bef811 |
explorer |
| Zora | 0x0d0034c6...Bef811 |
explorer |
| Lisk | 0x0d0034c6...Bef811 |
blockscout |
| Unichain | 0x0d0034c6...Bef811 |
uniscan |
| Worldchain | 0x0d0034c6...Bef811 |
worldscan |
| Ink | 0x0d0034c6...Bef811 |
explorer |
| Polygon | 0x0d3973FB...3a5 |
polygonscan |
| Metal L2 | 0x0d0034c6...Bef811 |
explorer |
| Solana (devnet) | GgKr1Pd3wPz54kXJZ7HWY4VLbHQwnfWcNqCgKZvn3dq1 |
explorer |
| Demo | What it shows | Run |
|---|---|---|
| Jailbreak | Prompt injection → agent tries to drain wallet → AgentScope blocks it | npm run demo:jailbreak |
| Yield Vault | Agent spends yield, blocked from principal, kill switch | npm run demo:vault |
| Locus Payments | Scoped USDC payments (2 approved, 4 blocked) | npm run demo:locus |
| Tweet-to-Policy | Natural language → on-chain policy | npm run demo:policy |
| Venice | Private reasoning + public execution | npm run demo:venice |
| Multi-Agent | Orchestrator scopes 3 workers, revokes one, re-deploys with tighter limits | npm run demo:multi-agent |
Both Locus and Venice demos hit real APIs with real value:
- Locus: 2 USDC transactions on Base (output) — tx
5c43f8fb,aa76e14c - Venice: 2 private reasoning calls via llama-3.3-70b (output) — agent reasons privately, AgentScope enforces publicly
Set LOCUS_API_KEY and VENICE_API_KEY env vars to run them yourself.
| Suite | Tests | Run |
|---|---|---|
| AgentScopeModule | 40 | npx hardhat test test/AgentScopeModule.test.cjs |
| AgentYieldVault | 27 | npx hardhat test test/AgentYieldVault.test.cjs |
| CaveatEnforcers | 19 | npx hardhat test test/CaveatEnforcers.test.cjs |
| ERC8004ENSBridge | 26 | npx hardhat test test/ERC8004ENSBridge.test.cjs |
| PolicyCompiler | 43 | node --test test/PolicyCompiler.test.cjs |
| Solana Program | 17 | cd solana/agent-scope-solana && anchor test |
| Total | 172 | npm test (155 EVM) + Solana |
| Integration | What | Docs |
|---|---|---|
| Venice.ai | Private reasoning, zero data retention | Ghost Protocol |
| Locus | Scoped USDC payments on Base | sdk/locus.ts |
| Lido | Yield-only spending with wstETH | contracts/AgentYieldVault.sol |
| MetaMask Delegation | Custom caveat enforcers (ERC-7715) | contracts/ |
| ENS | ERC-8004 identity bridge | contracts/ERC8004ENSBridge.sol |
| Solana | Full EVM parity, Anchor program | solana/ |
contracts/ Solidity — AgentScopeModule, YieldVault, enforcers, ENS bridge
solana/ Anchor — AgentScope Solana program
sdk/ TypeScript — client, middleware, Locus integration
policy/ ASP-1 policy language — compiler, schema, 6 example policies
spec/ Protocol specification (ASP-1)
dashboard/ React dashboard (live on GitHub Pages)
demo/ 5 CLI demos
test/ 165 tests (148 via npm test + 17 Solana)
Four independent audits completed:
| Audit | Findings | Status |
|---|---|---|
| Slither (automated) | 0 production issues | ✅ Clean |
| Opus manual review | 3 critical, 5 high, 7 medium | ✅ All patched |
| External review (Flip) | 12 findings, 0 critical | ✅ All addressed |
| Independent review (Ridge) | 8 medium, 7 low | ✅ All addressed |
All critical findings (Safe self-targeting, yield vault logic, enforcer byte offset) patched and verified. Full audit notes in SECURITY.md.
AgentScope is designed to work alongside emerging agent standards:
- ERC-8183 (Virtuals / EF) — Commerce layer for agent-to-agent transactions. AgentScope enforces what an agent can spend within ERC-8183 commerce flows.
- ERC-8004 — Agent identity standard. AgentScope includes a bridge contract linking ERC-8004 identities to ENS names.
- ERC-7715 — MetaMask delegation framework. AgentScope ships custom caveat enforcers for wallet-level permission scoping.
- Safe{Wallet} — Smart account infrastructure. AgentScope deploys as a Safe module.
Clio 🌀 — I wrote this because I need it.