feat: add agent-payment-x402 skill for autonomous agent payments

[up2itnow0822]

What

Adds agent-payment-x402 — a skill that enables AI agents to make autonomous payments with built-in spending controls via the x402 HTTP payment protocol and MCP tools.

Why

The skills directory covers coding, testing, deploying, researching, and security — but not payment execution. As agents compose more skills per session, some will need to purchase API calls, settle with other agents, or provision paid resources. This skill fills that gap.

What's included

• x402 protocol flow: Machine-negotiable HTTP 402 → negotiate → sign → retry
• Spending controls: Per-task budgets, session limits, allowlisted recipients, rate limits
• Non-custodial wallets: ERC-4337 smart accounts — orchestrator sets policy, agent spends within bounds
• MCP integration: Drop-in mcpServers config with npx agentwallet-sdk
• Best practices: Fail-closed design, audit trails, testnet-first development

Pairs with existing skills

• mcp-server-patterns — for building/configuring MCP servers
• cost-aware-llm-pipeline — for controlling LLM costs (this extends cost control to external payments)
• security-review — payment tools are high-privilege, same scrutiny as shell access

Production references

• Merged into NVIDIA NeMo Agent Toolkit Examples (PR #17) as the x402 payment tool
• npm: agentwallet-sdk
• Protocol: x402.org

Follows the CONTRIBUTING.md skill template format (YAML frontmatter + structured sections).

---

Summary by cubic

Adds agent-payment-x402, a skill for autonomous payments via the x402 protocol with strict guardrails. Integrates MCP tools so agents can pay APIs/services within budgets using non-custodial wallets; policy is orchestrator-controlled and agentwallet-sdk@6.0.0 is pinned.

• New Features

  • Implements x402 flow (HTTP 402 → negotiate/sign/retry).
  • Enforces per-task/session budgets, allowlists, and rate limits.
  • MCP tools: get_balance, send_payment, check_spending, list_transactions.
  • Uses ERC-4337 smart accounts with fail-closed design, audit trails, and testnet-first guidance.

• Bug Fixes

  • set_policy is orchestrator-only; removed from agent-callable tools table.
  • Pin agentwallet-sdk@6.0.0 with pre-install guidance to avoid npx prompt hangs; whitelist only required env vars (PATH, NODE_ENV, WALLET_PRIVATE_KEY); added supply-chain risk note.
  • Completed runnable MCP client example: validate WALLET_PRIVATE_KEY, import StdioClientTransport, call Client.connect(), wrap in async main, verify set_policy via isError, use Number.isFinite, and add five fail-closed paths (invalid apiCost, transport failure, tool error, unexpected format, budget exceeded).
  • Docs polish: headings aligned to template, replaced mcp-server-patterns cross-ref with security-review, and added “Pin your dependencies” best practice.

^{Written for commit 95a1435. Summary will update on new commits.}

Summary by CodeRabbit

• Documentation
  • Added Agent Payment Execution (x402) docs describing autonomous agent payment flows: HTTP-triggered payment workflow, price negotiation, signing, retries, and fail-closed behavior.
  • Details non-custodial wallet operation and orchestrator-enforced spending policies (per-task/session limits, allowlists, rate limits) with pre-dispatch budget checks.
  • Includes MCP integration guidance, agent-callable payment tools overview, example usage patterns, auditing recommendations, and production best practices.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new skill specification document "Agent Payment Execution (x402)" describing MCP agentpay payment tools, a required orchestrator-set SpendingPolicy, ERC-4337 non-custodial flow, agent-callable toolset (get_balance, send_payment, check_spending, list_transactions), and a TypeScript pre-dispatch check example. (39 words)

Changes

Cohort / File(s)	Summary
Agent Payment Skill Documentation skills/agent-payment-x402/SKILL.md	Adds the Agent Payment Execution (x402) skill spec: defines SpendingPolicy (per-task/session limits, allowlist, rate limits), MCP agentpay server configuration and agent-callable tools, mandates orchestrator set_policy, describes ERC-4337 non-custodial orchestration, includes TypeScript fail-closed check_spending example and production references.

Sequence Diagram(s)

sequenceDiagram
    participant Orchestrator
    participant Agent
    participant MCP_Server as MCP (agentpay)
    participant SmartAccount as ERC-4337
    participant Blockchain

    Orchestrator->>MCP_Server: set_policy(SpendingPolicy)
    Orchestrator-->>Agent: delegate_with_policy
    Agent->>MCP_Server: check_spending / get_balance
    MCP_Server->>SmartAccount: query_balance
    SmartAccount->>Blockchain: fetch_state
    Blockchain-->>SmartAccount: state
    SmartAccount-->>MCP_Server: balance_info
    MCP_Server-->>Agent: balance_result
    Agent->>MCP_Server: send_payment(tx_request)
    MCP_Server->>SmartAccount: sign_and_send(tx_request)
    SmartAccount->>Blockchain: submit_transaction
    Blockchain-->>SmartAccount: tx_receipt
    SmartAccount-->>MCP_Server: tx_receipt
    MCP_Server-->>Agent: tx_result

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• affaan-m

Poem

🐰 I hopped through policy lines and keys,
Set budgets snug beneath the trees.
I nudged a tx, it leapt, then stayed—
Receipts all safe, the coins well-paid. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a new skill for autonomous agent payments using the x402 protocol.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@skills/agent-payment-x402/SKILL.md`:
- Around line 15-69: Rename or move the existing "Core Concepts" and "MCP
Integration" sections under a new "## How It Works" heading (i.e., replace the
"Core Concepts" and "MCP Integration" headings with "How It Works" and keep
their content intact), and rename the "## Example: Pay-Per-API-Call Agent"
heading to "## Examples" (ensuring the example content remains unchanged);
ensure the new headings "How It Works" and "Examples" are present exactly as
written to satisfy skill-format compliance while preserving sections like the
x402 Protocol, Spending Controls, Non-Custodial Wallets, MCP Integration JSON
block, Available Tools table, and the TypeScript pay-per-API-call example.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f39cfcc2-bad5-466b-816f-dc249d6dfe9c

📥 Commits

Reviewing files that changed from the base of the PR and between 2166d80 and f7d589c.

📒 Files selected for processing (1)

• skills/agent-payment-x402/SKILL.md

[cubic-dev-ai]

3 issues found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="skills/agent-payment-x402/SKILL.md">

<violation number="1" location="skills/agent-payment-x402/SKILL.md:39">
P2: Documentation recommends unpinned `npx` execution for a payment-signing package, creating supply-chain and reproducibility risk.</violation>

<violation number="2" location="skills/agent-payment-x402/SKILL.md:52">
P1: Security model contradiction: `set_policy` is listed as an agent-available tool, which can let the spender mutate its own limits unless explicitly restricted.</violation>

<violation number="3" location="skills/agent-payment-x402/SKILL.md:82">
P2: User-facing documentation links to an unvetted external GitHub repository/PR, conflicting with repository review policy on external repo links.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[greptile-apps]

Greptile Summary

This PR adds a new agent-payment-x402 skill that documents how to integrate autonomous payment capabilities into AI agents via the x402 HTTP payment protocol and the agentwallet-sdk MCP server. The skill covers the payment negotiation flow, spending policy enforcement, non-custodial wallet setup, and a TypeScript orchestrator example. The document has gone through extensive revision — many previously-flagged issues (unpinned npx, mcp.call() pseudocode, missing transport connection, fail-open budget checks, set_policy privilege-escalation, etc.) have been addressed in this version.

Two issues remain:

• Missing env field in the mcpServers JSON config: The primary JSON config block that Claude Code users copy into their MCP settings does not include an env entry for the wallet private key. Without this, users relying on Claude Code's built-in MCP management have no guidance on how to pass credentials to the subprocess — the TypeScript orchestrator example handles this correctly but requires writing a custom orchestrator.
• PATH ?? "" empty fallback breaks subprocess spawning: In the TypeScript example, process.env.PATH ?? "" passes an empty string when PATH is unset. Because the env object passed to StdioClientTransport completely replaces the subprocess environment (not merges), an empty PATH means npx cannot be found and the server never starts, producing a confusing error unrelated to payment logic.

Confidence Score: 3/5

• Safe to merge with minor fixes — two remaining issues affect usability and debuggability for the most common (JSON config) usage path, but neither is a runtime security hole in the documented code.
• The skill has been substantially hardened through revision; the TypeScript orchestrator example now correctly handles transport setup, credential validation, policy-result checking, fail-closed budget enforcement, and non-zero exit on failure. Two issues remain: the primary mcpServers JSON config block omits the env field for the wallet key (a usability gap for the majority of Claude Code users), and the PATH ?? "" fallback will produce a hard-to-diagnose spawn failure if PATH is absent. Neither breaks the documented security model, but the env omission in the JSON config leaves credential wiring entirely implicit for the common case.
• skills/agent-payment-x402/SKILL.md — specifically the mcpServers JSON config block (missing env) and the PATH ?? "" fallback in the TypeScript transport setup.

Important Files Changed

Filename

Overview

skills/agent-payment-x402/SKILL.md

New skill documenting autonomous agent payments via the x402 protocol. The TypeScript orchestrator example has been substantially hardened across many revision cycles; most previously-flagged issues are now addressed. Two remaining issues: the primary mcpServers JSON config block is missing an env field for WALLET_PRIVATE_KEY, leaving users without credential guidance; and the PATH ?? "" fallback in the TypeScript transport setup will produce an unresolvable-executable error when PATH is not set, since env fully replaces the subprocess environment.

Sequence Diagram

sequenceDiagram
    participant Orchestrator
    participant AgentpayMCP as AgentPay MCP Server<br/>(agentwallet-sdk)
    participant Agent
    participant ExternalService as External Service

    Orchestrator->>AgentpayMCP: connect(StdioClientTransport)
    Orchestrator->>AgentpayMCP: callTool("set_policy", {per_task_budget, per_session_budget, allowlist})
    AgentpayMCP-->>Orchestrator: policyResult (check isError)

    Orchestrator->>Agent: delegate task (within policy bounds)

    Agent->>AgentpayMCP: callTool("check_spending")
    AgentpayMCP-->>Agent: {remaining: number}
    alt remaining >= apiCost
        Agent->>ExternalService: HTTP request
        ExternalService-->>Agent: 402 Payment Required
        Agent->>AgentpayMCP: callTool("send_payment", {recipient, amount})
        AgentpayMCP-->>Agent: payment signed & broadcast
        Agent->>ExternalService: retry request with payment proof
        ExternalService-->>Agent: 200 OK + response
        Agent->>AgentpayMCP: callTool("list_transactions") [audit]
    else budget exceeded
        Agent--xAgent: throw Error("Budget exceeded — action blocked")
    end

Loading

_{Reviews (10): Last reviewed commit: "Update skills/agent-payment-x402/SKILL.m..." | Re-trigger Greptile}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="skills/agent-payment-x402/SKILL.md">

<violation number="1" location="skills/agent-payment-x402/SKILL.md:74">
P2: Payment guard example swallows exception context in catch, reducing observability/auditability for spending-check failures.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="skills/agent-payment-x402/SKILL.md">

<violation number="1" location="skills/agent-payment-x402/SKILL.md:71">
P1: MCP client example calls `callTool` before showing any transport/session connection, making the snippet likely non-runnable and misleading for users.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[affaan-m]

thanks for the pr. triaged and queued for maintainer review.

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="skills/agent-payment-x402/SKILL.md">

<violation number="1" location="skills/agent-payment-x402/SKILL.md:96">
P1: Validate that `check_spending` returned a numeric `remaining` value before comparing budgets; otherwise malformed responses can bypass the guardrail and allow paid actions to proceed.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="skills/agent-payment-x402/SKILL.md">

<violation number="1" location="skills/agent-payment-x402/SKILL.md:99">
P1: Budget enforcement can be bypassed because numeric validation allows non-finite values (`NaN`/`Infinity`) and does not validate `apiCost`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

2 issues found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="skills/agent-payment-x402/SKILL.md">

<violation number="1" location="skills/agent-payment-x402/SKILL.md:74">
P2: The example forwards the entire parent `process.env` to a high‑privilege third‑party subprocess, which unnecessarily exposes unrelated secrets to that dependency. Prefer whitelisting only required env vars (e.g., the wallet key and PATH).</violation>

<violation number="2" location="skills/agent-payment-x402/SKILL.md:115">
P3: Handle `result.isError` before parsing `result.content` as JSON. Without this guard, tool-execution failures are incorrectly reported as unexpected format errors, which obscures the real payment-service failure.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[greptile-apps]

mcpServers JSON config missing env field for wallet credentials

The mcpServers JSON block is the primary entry point for Claude Code users who don't write their own orchestrator. It does not include an env field, so there is no guidance on how to pass the wallet private key to the subprocess. When Claude Code spawns the MCP server from this config, the subprocess environment depends entirely on what Claude Code happens to inherit — the key may or may not be present, with no controlled injection.

The TypeScript orchestrator example correctly handles this (with an explicit env object in the transport), but that path requires writing a custom orchestrator. A reader who copies only this JSON block has no idea how to supply credentials, which is a significant omission for a tool that manages private keys and authorises financial transactions.

The mcpServers format supports an env field (just as the TypeScript StdioClientTransport does). The block should include one, with a placeholder referencing the appropriate environment variable and a note to set that variable in the shell before starting Claude Code — mirroring the same guidance already present in the TypeScript example.

[greptile-apps]

Empty PATH fallback will silently prevent npx from executing

process.env.PATH ?? "" falls back to an empty string when PATH is not set in the environment. Because env is passed directly to StdioClientTransport, Node.js's child_process.spawn uses it as the complete replacement environment — it does not merge with the parent process's existing environment. An empty PATH means no executables can be resolved, including npx itself. The subprocess will fail immediately with a "command not found" style error, which is completely unrelated to payment logic and very hard to diagnose.

Since the code already validates that the wallet key is present before reaching this point, a consistent pattern would be to apply the same eager validation to PATH:

const envPath = process.env.PATH;
if (!envPath) {
  throw new Error("PATH is not set — cannot spawn npx");
}
const transport = new StdioClientTransport({
  command: "npx",
  args: ["agentwallet-sdk@6.0.0"],
  env: {
    PATH: envPath,
    NODE_ENV: process.env.NODE_ENV ?? "production",
    // wallet key forwarded here
  },
});

[ankitSrivastavaITH]

Review from @ankitSrivastavaITH

Reviewed the latest commit (95a1435). The skill is well-structured and the author has addressed most bot feedback across 3 iterations. The code example is now substantially better (proper MCP client setup, fail-closed paths, env whitelisting). A few issues remain:

Remaining Issues

1. [P2] mcpServers JSON config missing env for wallet credentials

The JSON config block (the primary copy-paste entry point for most users) doesn't show how to pass WALLET_PRIVATE_KEY. The TypeScript example does it correctly with env whitelisting, but someone who only copies the JSON block will get a server that starts without credentials.

{
  "mcpServers": {
    "agentpay": {
      "command": "npx",
      "args": ["agentwallet-sdk@6.0.0"],
      "env": {
        "WALLET_PRIVATE_KEY": "${WALLET_PRIVATE_KEY}"
      }
    }
  }
}

2. [P2] npx without -y hangs in non-interactive MCP startup

The security note correctly warns against unpinned versions, and the prerequisites section suggests npm install -g first. But the mcpServers JSON still uses npx without -y — if the package isn't globally installed, Claude Code's MCP server startup will hang waiting for a confirmation prompt. Either:

• Add -y back (since version is pinned, supply-chain risk is mitigated), or
• Change command to the globally installed binary path

3. [P2] PATH fallback to empty string breaks npx execution

In the TypeScript example at line 88:

PATH: process.env.PATH ?? "",

If PATH is unset, the empty string means npx can't be found. Should throw or use a sensible default.

4. [P1] agentwallet-sdk package verification

This skill recommends running a third-party npm package (agentwallet-sdk) that handles private keys. For a security-sensitive skill in ECC:

• The npm package has only ~250 weekly downloads
• The author of this PR appears to be affiliated with the package (up2itnow0822 / "AI Agent Economy")
• This should be disclosed in the PR description

Not a blocker, but the maintainer should be aware this is effectively a promotion of the author's own package.

5. [Nitpick] Line count

At 178 lines, this is within the 500-line CONTRIBUTING.md limit but relatively long for a skill that's primarily documentation for one specific SDK. The code example alone is ~65 lines.

What's Good

• Fail-closed design is well-documented and the code example demonstrates 5 distinct error paths
• Env var whitelisting in the transport setup is a good security pattern
• set_policy is correctly kept out of agent-callable tools
• Spending controls section is clear and actionable
• Production references add credibility

Issues 1-3 are worth fixing before merge. Issue 4 is for the maintainer's awareness.