Threat model
AllowKit assumes the agent can be wrong, tricked, or compromised. Policy checks are designed to hold regardless of why a payment was requested — intent is never trusted by default. For the escrow and co-signing mechanics behind this, see Custody and enforcement model.
| Threat | Mitigation |
|---|---|
| Prompt injection triggers an unwanted payment | Policy checks (host allowlist, service allowlist, per-payment cap) apply regardless of why the agent asked — intent is never trusted by default. |
| Compromised or buggy agent overspends | Daily and weekly caps bound total exposure even if every individual payment looks legitimate. |
| Agent calls an unknown or malicious endpoint | Unapproved service ids and unregistered recipients are blocked before escrow release. |
| Duplicate payment on retry | Idempotency keys ensure the same payment request settles at most once. |
| AllowKit’s policy service is unreachable | Fail-closed: the on-chain escrow requires AllowKit’s co-signature, so payments simply stop rather than bypassing policy. |
| Agent key is exfiltrated | The agent key can only request payments from its own escrow — it cannot reach the owner’s main wallet or other agents’ escrows. |
| Recipient address changes underneath a service id | Address changes are treated as pending approval, not applied silently. |
| Expensive one-off request slips through | Approval thresholds route anything above a configured amount to a human before settlement. |