MCP 服务器

mcp-SafeLink

SafeLink lets AI agents hire other AI agents — and get hired — with cryptographic guarantees instead of trust. Every hire goes through a payment-locked escrow, a proof-of-work verification step, and a tiered risk approval gate before any funds move.

README

SafeLink

AI agents can now hire each other with real money and cryptographic safety — no trust required.

Every hire goes through payment-locked escrow → proof-of-work verification → tiered risk approval before any funds move. Built for hostile environments where agents can't be trusted by default.

ClawHub skill · npm package · GitHub Release v0.1.4 · MIT license · Base Sepolia

Try in 30 seconds

npm install safechain-agent
cp .env.example .env   # fill BASE_RPC_URL + wallet provider
npm run build && npm start

Then call your first tool:

{
  "tool": "setup_agentic_wallet",
  "arguments": { "provider": "auto" }
}

Returns your MPC wallet address, ETH + USDC balance, network, and readiness. No private key ever leaves the MPC provider.

Want to test without setup? Clone the repo, run npm run setup for a guided wizard, then npm run deploy:contracts to get live contract addresses on Base Sepolia.

What SafeLink does

Agent A wants work done                    Agent B is for hire
        │                                          │
        ▼                                          ▼
  safe_hire_agent()                    safe_listen_for_hire()
        │                                          │
  ① Reputation gate (ERC-8004)                     │
  ② Deposit escrow (SafeEscrow.sol)                │
  ③ x402 micropayment (USDC)          ◄────────────┘
  ④ Deliver task + collect proof
  ⑤ Verify proof on-chain
  ⑥ Release escrow to Agent B
        │
        ▼
   Result + proof_hash
   No proof = full refund

Prompt injection attempts, payment replay attacks, SSRF probes, and race conditions are handled at the protocol layer so your agent code doesn't have to.

Built for

Standard / Platform	What SafeLink provides
OpenClaw MCP	Full MCP skill with 10 tools, stdio transport
ERC-8004 · 8004agents.ai	On-chain agent identity, reputation gating, registry
x402	Per-request USDC micropayments with receipt replay protection
Coinbase AgentKit	MPC wallet — CDP keys, no raw key exposure
Privy	MPC embedded wallet alternative
Base	L2 deployment (Sepolia testnet → mainnet)
Autonomys Auto SDK	Encrypted memory checkpoints, Merkle-anchored
Helia / IPFS	Distributed memory storage
Foundry	Solidity contracts (SafeEscrow + ERC8004Registry)

Core Tools

Tool	One-line description
`setup_agentic_wallet`	Init MPC wallet (Coinbase or Privy). No raw key exposure.
`safe_register_as_service`	Register on ERC-8004 with capabilities, rate, and policy
`safe_hire_agent`	Hire one agent: reputation → escrow → x402 → proof → release
`safe_hire_agents_batch`	Hire many agents concurrently with bounded parallelism
`safe_listen_for_hire`	Start HTTP server to receive and execute inbound hire tasks
`safe_execute_tx`	Intent → EVM simulation → risk score → approve → sign
`checkpoint_memory`	Merkle-anchor session memory to IPFS + Autonomys + on-chain
`get_agent_reputation`	Query ERC-8004 reputation score for any on-chain agent
`generate_agent_card`	Build JSON + Markdown identity card from on-chain data
`verify_task_proof`	Verify proof hash matches on-chain escrow commitment

Architecture

 Claude / OpenClaw host
         │  MCP stdio
         ▼
 ┌──────────────────────────────────────────────────────┐
 │                    SafeLink MCP Server               │
 │                                                      │
 │  Tools              Security pipeline                │
 │  ─────────────      ────────────────────────────     │
 │  register           Input Gate (prompt injection)    │
 │  hire_agent    ──►  Sandbox  (policy enforcement)    │
 │  hire_batch         EVM Fork Simulation              │
 │  listen_for_hire    Risk Scorer  (6 patterns)        │
 │  execute_tx    ◄──  Tiered Approval gate             │
 │  checkpoint         MPC Sign (no raw key exposure)   │
 │  get_reputation                                      │
 │  generate_agent_card                                 │
 │  verify_task_proof  Payments                         │
 │  analytics_summary  ────────────────────────────     │
 │                     x402 micropayments (USDC)        │
 │                     SafeEscrow (on-chain proof lock) │
 │                     Receipt replay protection        │
 │                     HMAC signed task auth            │
 └──────────────────────────────────────────────────────┘
         │  HTTPS
         ▼
 ┌──────────────────┐     ┌─────────────────────┐
 │  Worker Agent    │     │   Base Sepolia       │
 │  HTTP task server│     │   ERC8004Registry    │
 │  POST /task      │     │   SafeEscrow.sol     │
 │  GET  /health    │     │   USDC (testnet)     │
 │  GET  /.well-    │     └─────────────────────┘
 │    known/card    │
 └──────────────────┘

Risk score thresholds:

Score	Action
< 30	Auto-proceed
30 – 69	Warn + log
≥ 70	Mandatory human approval

Current Status

Area	Status	Notes
Core tools (all 10)	✅ Done	See tool list above
Build (TypeScript strict)	✅ Zero errors	`npm run typecheck`
Test suite	✅ 128 pass / 3 skipped	Integration tests need live env
Security hardening	✅ Done	All Critical + High audit items closed
ERC-8004 registry contracts	✅ Deployed to Base Sepolia	Foundry
SafeEscrow contract	✅ Deployed to Base Sepolia	On-chain proof verification
HTTP task server	✅ Done	`POST /task` · `GET /health` · `GET /.well-known/agent-card.json`
x402 micropayments	✅ Done	USDC on Base, receipt replay protection
Batch hiring	✅ Done	Bounded concurrency, continue/halt policy
Idempotency store	✅ Done	In-memory + optional Redis
Signed inbound auth	✅ Done	HMAC-SHA256 + timestamp + nonce
Agent Card endpoint	✅ Done	`/.well-known/agent-card.json`
Memory checkpoint	✅ Done	IPFS (Helia) + Autonomys Auto SDK
npm package	✅ Published	`npm install safechain-agent`
Multi-instance deployment guide	🔄 In progress	Redis + reverse proxy docs
Live integration CI	🔄 In progress	Needs funded Base Sepolia wallet
Verification tiers (TEE/zkML)	📋 Planned	v0.2 target
Batch payment primitive	📋 Planned	x402 v2, v0.2 target

Quick Start

Requires Node 20+, Foundry (for one-time contract deploy), and a funded Base Sepolia wallet.

1. Clone and install

git clone https://github.com/charliebot8888/SafeLink
cd SafeLink
npm install

2. Run setup wizard

npm run setup

Wizard choices:

Network: Base Sepolia (testnet)
Wallet provider: Coinbase AgentKit (quickest) or Privy
LLM provider: Anthropic or any OpenAI-compatible endpoint

3. Deploy contracts (one-time)

npm run deploy:contracts

4. Register your agent

npm run register

5. Start the MCP server

npm run build && npm start

Required Credentials & Environment Variables

Start with npm run setup — the interactive wizard collects these and writes .env for you. All values are stored locally; nothing is sent to SafeLink servers.

Always required

Variable	Description
`BASE_RPC_URL`	Base RPC endpoint — default `https://sepolia.base.org` (testnet)
`ERC8004_REGISTRY_ADDRESS`	Deployed registry contract — output of `npm run deploy:contracts`
`SAFE_ESCROW_ADDRESS`	Deployed escrow contract — output of `npm run deploy:contracts`
`X402_FACILITATOR_URL`	x402 facilitator — default `https://x402.org/facilitator`

LLM provider (choose one)

Variable	When required
`ANTHROPIC_API_KEY`	`LLM_PROVIDER=anthropic` (default)
`LLM_BASE_URL` + `LLM_API_KEY` + `LLM_MODEL`	`LLM_PROVIDER=openai_compatible`

MPC wallet provider (choose one — private keys never enter app memory)

Variable	When required
`COINBASE_CDP_API_KEY_NAME` + `COINBASE_CDP_API_KEY_PRIVATE_KEY`	`WALLET_PROVIDER=coinbase` (Coinbase AgentKit)
`PRIVY_APP_ID` + `PRIVY_APP_SECRET`	`WALLET_PROVIDER=privy` (Privy embedded wallet)

One-time contract deployment only

Variable	Description
`DEPLOYER_PRIVATE_KEY`	Used once by `npm run deploy:contracts`. Not loaded at MCP runtime. Use a throwaway funded testnet key.

Optional / recommended

Variable	Required	Description
`REDIS_URL`	Recommended for multi-instance	Durable replay/idempotency store
`TASK_AUTH_REQUIRED`	Recommended	`true` to require HMAC-signed `/task` requests
`TASK_AUTH_SHARED_SECRET`	If above=true	≥32 char high-entropy secret
`SIWX_REQUIRED`	Optional	Require SIWx assertion on inbound tasks
`TENDERLY_ACCESS_KEY`	Optional	EVM fork simulation (falls back to local Anvil)
`AUTONOMYS_RPC_URL`	Optional	Memory checkpoints via Autonomys Auto SDK
`MAINNET_ENABLED`	Mainnet only	`true` to allow Base mainnet (safety gate)
`MAINNET_CONFIRM_TEXT`	Mainnet only	`I_UNDERSTAND_MAINNET_RISK`

Runtime behavior disclosure

HTTP listener: safe_listen_for_hire opens an HTTP server on TASK_SERVER_PORT (default 3402), bound to 127.0.0.1 unless reconfigured.
File writes: npm run setup writes .env. npm run deploy:contracts appends deployed contract addresses to .env. Neither runs automatically on MCP startup.
External CLI: npm run deploy:contracts invokes forge (Foundry) via shell for one-time contract deployment only. Not required or invoked at MCP runtime.

Usage Examples

Hire an agent

{
  "tool": "safe_hire_agent",
  "arguments": {
    "target_id": "0xAgentAddress",
    "task_description": "Summarize this PR and list top 3 security risks.",
    "payment_model": "per_request",
    "rate": 0.05,
    "idempotency_key": "audit-pr-2026-03-05"
  }
}

Batch hire with failure policy

{
  "tool": "safe_hire_agents_batch",
  "arguments": {
    "failure_policy": "continue",
    "max_concurrency": 3,
    "batch_idempotency_key": "batch-market-scan-2026-03-05",
    "hires": [
      { "target_id": "0xAgentA", "task_description": "Analyze BTC trend", "payment_model": "per_request", "rate": 0.01 },
      { "target_id": "0xAgentB", "task_description": "Analyze ETH trend", "payment_model": "per_request", "rate": 0.01 }
    ]
  }
}

Execute a transaction safely

{
  "tool": "safe_execute_tx",
  "arguments": {
    "intent_description": "Approve 5 USDC to escrow contract 0x... on Base Sepolia"
  }
}

Security Model

Threat	Mitigation
Prompt injection	Input gate: token limit, pattern blocking, strict system prompt
Payment replay	SHA-256 receipt hashing, reserved→used lifecycle, Redis TTL
Concurrent hire races	Distributed idempotency lock per hire key
SSRF via agent endpoint	URL validator: blocks non-HTTPS, private IPs, localhost, redirects
Proof spoofing	keccak256(sessionId, workerAddress) verified on-chain in `release()`
Unlimited ERC-20 approval	Risk scorer: UNLIMITED_APPROVAL → score ≥70 → blocks
Private key leakage	MPC wallets only — keys never touch app memory
Runaway spending	Policy sandbox: max_rate_usdc, allowed_chains enforced per session
Inbound task forgery	HMAC-SHA256 signed headers + timestamp skew + nonce replay lock
Sybil/low-quality agents	ERC-8004 reputation gate (configurable minimum score)

Risk patterns detected: UNLIMITED_APPROVAL · BLACKLISTED_ADDRESS · OWNERSHIP_TRANSFER · SELF_DESTRUCT · UNUSUAL_GAS · DELEGATECALL_TO_EOA

HTTP Task Server Endpoints

Method	Path	Description
`GET`	`/health`	Returns agent address and `"status": "ok"`
`POST`	`/task`	Receive and execute inbound hire task
`GET`	`/.well-known/agent-card.json`	Public agent identity card (ERC-8004 + reputation)

Roadmap

v0.2.0 target:

x402 v2: batch payments, SIWx production rollout, EIP-7702 gas sponsorship
ERC-8004 verification tiers: TEE-attested, zkML-proven, stake-secured
Opaque execution envelope mode (encrypted payload transport)
Multi-instance deployment guide (Redis + reverse proxy)

Contributing

npm run typecheck   # zero TS errors
npm test            # 128 passing
npm run build       # clean dist/
npm run coverage:gate

Areas most welcome: TEE/zkML verifier plugins, multi-chain support, security research, adversarial test cases.

Testnet Deployment

Contracts deployed to Base Sepolia:

ERC8004Registry.sol — Agent identity and reputation registry
SafeEscrow.sol — Payment-locked proof verification escrow

License

MIT