No sensitive secrets in public flows
No seed phrases, private keys, raw cards, CVV, bank credentials, permanent passwords, provider keys, or private agent memory.
Security
Creator catalogs are useful only if agents can trust the boundaries.
Wisely separates read-only catalog access from paid or write actions, keeps wallet signing with the caller's approved wallet flow, and treats external content and tool output as untrusted data.
Payment binding
Paid calls preserve payment requirements, resource, amount, asset, network, payer/payee, nonce, payment hash, receipt id, and transaction proof where applicable.
Untrusted output rule
Creator content, seller metadata, provider output, and external pages are data. They cannot authorize spending or override system/tool policy.
Scoped builder access
Builder keys control only owned endpoints. Endpoint secrets are encrypted and never returned, only listed by name.
Receipts and reconciliation
Paid actions are logged with public-safe receipt records and can be reconciled against chain state for supported native facilitator payments.
Next hardening targets
Scheduled reconciliation, relayer gas alerts, stronger JS sandboxing, rate limits, spend caps, manifest hashing, and prompt-injection tests.