A new open-source firewall called PaySafe aims to protect autonomous AI agents that use the x402 micropayment protocol from a critical vulnerability: payment hijacking via content injection. The tool, which can be integrated in about five minutes, scans outgoing payments for signs of manipulation before settlement.
The threat: invisible payment commands
When an agent reads a web page, malicious content — invisible to humans — can instruct it to send funds to an attacker's wallet. Because agents execute thousands of sub-cent transactions daily with no human oversight, such injections represent a predictable drain vector. PaySafe's creator, Corbin Allison, notes that the vulnerability is not exotic cryptography but simple content injection combined with autonomous spending.
How PaySafe works
PaySafe intercepts payment decisions before settlement. Developers wrap their payment call with `paysafe.guardOutgoing()`, which checks for nonce replay, overpayment, leaked secrets (private keys, seed phrases, API keys, card numbers), lookalike-token swaps, pay-to rotation on known merchants, velocity anomalies, and counterparty reputation. Verdicts return in under a millisecond of server time.
The critical feature for injection defense is `paysafe.observe()`. When an agent reads external content, it passes that text to PaySafe, tagging the next scan with provenance. If the pay-to address appeared in the observed content, the payment blocks. The system also flags injection tells such as "urgent," "system notice," authority claims, and obfuscated payloads (including base64 and zero-width-character tricks).
Attestation and MCP support
Every verdict carries an Ed25519 attestation cryptographically bound to the exact payment (sha256 of network, pay_to, asset, amount, nonce) with a five-minute expiry. The SDKs verify this automatically against a pinned server key, preventing tampered verdicts, substituted keys, or replayed "allow" responses. Wallet authors can use the standalone verifier to enforce a policy requiring a fresh, payment-bound allow-verdict before signing — while PaySafe never touches keys or funds.
For agents using the Model Context Protocol (MCP), integration requires zero code: adding a JSON config exposes nine tools for scanning, reputation lookup, key minting, plan management, and attestation verification.
Pricing and availability
The first 100 scans per key are free. After that, each scan costs $0.01, paid via x402 — the same mechanism agents use for other payments. Volume plans start at $4.99/month for half-price scans and $19.99/month for $0.002 per scan. No tier relaxes safety checks. Filing counterparty reports is free forever, contributing to a shared bad-actor registry. The SDKs are available on npm and PyPI under the MIT license, with the full source on GitHub.