ARTICLE DOSSIER

A practical threat model for AI-agent wallets: key custody, prompt injection, sessions, budgets, receipts, approval policies, wallet reuse, and privacy logs.

AI PRIVACYWALLETSOPSEC
REVIEW2026-07-05
DATE2026-07-05
READ~5 min read

← Guides

Agent Wallet Threat Model: Keys, Sessions, Budgets, and Receipts

An agent wallet is not just a wallet. It is a signing environment attached to prompts, browser state, tool calls, account sessions, receipts, and model mistakes.

Privacy frame: agent payments are authority systems. The useful question is not whether a protocol is modern. The useful question is who can spend, who approves, who settles, who stores logs, and how quickly the user can revoke it.

Primary sources

Main assets

The obvious asset is money. The less obvious assets are account identity, purchase intent, wallet history, receipts, API keys, merchant sessions, and the prompts that explain why the payment happened.

A good threat model separates payment intent from signing authority. The agent can produce a request. A policy layer or human should decide whether money moves.

Main failure modes

The worst design puts seed material, browser automation, untrusted web content, and open-ended spending authority in one runtime. A prompt injection or tool bug then becomes direct money movement.

A second failure is receipt sprawl. If receipts, prompts, files, and identity documents land in one store, the payment trail becomes a map of the user.

  • Prompt injection asks the agent to pay the wrong party.
  • A merchant session leaks identity across unrelated tasks.
  • Wallet address reuse links agent tasks onchain.
  • A broad API key lets the agent create spend surfaces without review.

Safer architecture

Use task wallets or cards with small balances. Keep the signing key outside the browsing and prompt runtime. Put a policy check between the agent request and the payment tool.

For higher value workflows, require human approval. For repeat low-value workflows, use a narrow policy engine with amount, merchant, frequency, and category limits.

Minimum controls

  • No seed phrases in the agent runtime.
  • One wallet, card, or balance per task compartment.
  • Hard maximum amount before the workflow starts.
  • Human approval above a tiny threshold.
  • Receipt logs without prompts, private files, or secrets.

Use the Agent Money matrix and the agent-money directory filter to compare live Cunicula provider records.

Frequently Asked Questions

Should an AI agent hold wallet keys?

Usually no. The safer pattern is for the agent to draft a payment request and for a separate wallet, policy engine, or human to approve and sign.

What should an agent payment wallet log?

Log merchant, amount, task, instrument, approval result, and receipt reference. Avoid storing prompts, private files, seed material, bank data, or unrelated identity data in the same log.