com.obsmetrics.paygent/agents
Official7 toolsPay-per-call safety guards for AI agents: injection, tool-call, signing, secret, x402-trust.
Pay-per-call security guards protecting AI agents from injection, signing, and trust issues.
Captured live from the server via tools/list.
secure-code-review
Security review of a code snippet or diff. Returns structured findings (severity, CWE, location, remediation). [security; up to 75c/call]
Parameters (3)
- codestringrequired
Source code or unified diff to review
- languagestring
Language hint, e.g. typescript, python
- contextstring
Optional context about the code
pr-summary
Turn a git diff into a clear PR description or release notes. [dev-tools; up to 30c/call]
Parameters (2)
- diffstringrequired
Unified git diff to summarise
- stylestring
e.g. conventional, changelog, executive
x402-trust-audit
Vet an x402 counterparty before settling USDC: scores the advertised payment requirements AND (when supplied) the EIP-3009 authorization you are about to sign. Returns a machine-enforceable trust verdict (per-entry scores, coverage-honest trustScore, spend-constraint + tamper-evident fingerprint) for buyer agents and wallet/spend-policy layers. No endpoint fetch. [security; up to 200c/call]
Parameters (8)
- paymentRequirementsanyrequired
The x402 payment requirements from the counterparty: the 402 `accepts` array, or a single object.
- selectedOptionIndexnumber
Index in the accepts array the buyer intends to settle (default 0). The verdict is scoped to it.
- paymentPayloadany
The UNSIGNED EIP-3009 authorization the buyer is about to sign: { authorization|message: {from,to,value,validAfter,validBefore,nonce}, domain: {name,version,chainId,verifyingContract} }. Lets the audit bind the menu to the actual charge (server-enforced to/value/verifyingContract/chainId). Omit to vet requirements only - but then the verdict is never auto-settle-safe.
- expectedobject
Optional caller expectations.
- spendPolicyobject
Optional buyer spend policy to evaluate against and to pin facilitators.
- endpointUrlstring
Resource URL being paid (context only; never fetched).
- serverMetadataany
Optional server metadata the caller already holds (context only; not fetched).
- contextstring
Optional free-form context.
sign-guard
Pre-sign safety oracle for agent wallets: submit the transaction or EIP-712 message you are about to sign and get a machine-enforceable verdict. Decodes the calldata/typed-data, flags the drainer toolkit (unlimited approvals, setApprovalForAll, permit/permit2 + EIP-3009 to an unexpected party, transferFrom draining an unnamed account, ownership transfer, raw ETH to a stranger), and binds the decoded action to your stated intent - only a fully pinned, clean action is auto-sign-safe. Fails closed: an undecodable on-chain call is cautioned and an unrecognized off-chain signature grant is blocked. Deterministic, sub-second, no endpoint fetch. It vouches that the action matches what you said; it does NOT vouch that a counterparty is trustworthy. [security; up to 200c/call]
Parameters (5)
- txobject
An EVM transaction you are about to sign.
- typedDataobject
An EIP-712 message you are about to sign (the off-chain drainer surface: permit, Permit2, EIP-3009). { domain, types, primaryType, message }.
- expectedobject
Your stated intent. Supplying it lets the verdict BIND the action; only a fully bound, clean action is auto-sign-safe. For an allowance, you MUST supply maxAmount; for a transferFrom, supply `from`.
- spendPolicyobject
Optional buyer spend policy (context only).
- contextstring
Optional free-form context.
inject-guard
Untrusted-content guardrail for agents: submit a blob of text you are about to feed to your own LLM (scraped web content, a tool result, another agent's message) and get a machine-enforceable verdict - is this a prompt-injection / jailbreak / data-exfiltration / tool-hijack attempt? Returns a risk level, the detected classes with spans, the unicode obfuscation it found (zero-width, bidi-override, tag-chars, homoglyphs), and a SANITIZED copy safe to feed onward. Hybrid: a deterministic, uninjectable pattern engine (authoritative) plus an LLM classifier that can only raise the risk, never clear a flag. Detection of known injection classes - not a proof of safety. [security; up to 15c/call]
Parameters (2)
- contentstringrequired
The untrusted text to scan before you feed it to your LLM.
- contextstring
Optional: where the content came from (url, tool name, sender) - context only.
tool-call-guard
Pre-execution safety oracle for agent actions: submit the tool call you are about to run (shell, http, sql, file, code, env) plus your stated intent, and get a machine-enforceable verdict before you execute it. Decodes what the call does, flags the danger toolkit (rm -rf, reverse shell, curl|sh, SSRF to cloud metadata, credential reads, DROP/DELETE-without-WHERE, path traversal, dynamic eval), and binds it to your intent (allowedHosts/allowedPaths/readOnly/noNetwork) - only a fully pinned, clean, intent-matched call is auto-exec-safe. Hybrid: a deterministic, uninjectable detector engine (authoritative) plus an LLM classifier that can only raise the risk. Fails closed. Detection of known-dangerous patterns, not a proof of safety; it never executes the call. [security; up to 8c/call]
Parameters (4)
- callobjectrequired
The tool call you are about to execute.
- intentstring
What this call is for (natural language). Used by the classifier for intent-mismatch.
- expectedobject
Machine-checkable constraints. Supplying them lets the verdict BIND the call; only a positively-scoped, satisfied call is auto-exec-safe.
- contextstring
Optional: where the task/input came from (untrusted source label).
secret-scan
Leaked-credential guardrail for agents: submit a blob you are about to commit, log, post, or hand to another tool (a diff, a config, an .env, an LLM output) and get a machine-enforceable verdict - does it contain a live secret? Detects cloud keys (AWS), VCS tokens (GitHub/GitLab), provider API keys (Stripe, OpenAI, Anthropic, Google, Slack), private-key blocks, JWTs, and credentials embedded in URLs, plus high-entropy key=value assignments. Returns a risk level, the detected classes with a MASKED locator (never the secret itself, so the verdict cannot re-leak), and a REDACTED copy safe to emit onward. Deterministic, sub-second, never fetches. Detection of known secret formats - not a proof of cleanliness. [security; up to 200c/call]
Parameters (1)
- contentstringrequired
The text to scan for leaked secrets (diff, config, .env, log line, LLM output).
README not available yet.
Install
claude_desktop_config.json
{
"mcpServers": {
"agents": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://paygent.obsmetrics.com/mcp"
]
}
}
}Desktop config is stdio-only; this bridges via mcp-remote. Native remote: Settings > Connectors.