Ведущий криптокошелек с самостоятельным хранением и шлюз к Web3, созданный Consensys.
Читать все статьиAgent wallets face prompt injection, key exposure, and permission risk. Here's how wallet isolation and spend limits minimize risk.

An agentic wallet is secure when it treats the AI agent as an unfamiliar transaction proposer rather than a trusted signer. Keys stay isolated from the agent's reasoning process, permissions are scoped and revocable, and every transaction is checked before it's signed, so a manipulated or malfunctioning agent can be contained.
MetaMask covers what an agentic wallet is in What is an agentic wallet?, the full transaction lifecycle is explained in How AI agents transact without touching your keys, and the importance of self-custody is broken down in Why every AI agent needs a wallet. What follows focuses on mitigating the risks involved when an agent, not a person, is the one proposing transactions.
With agentic wallets, safety depends on whether the agent can reach private keys directly, whether its permissions are scoped or unlimited, and whether a transaction is checked before it's signed rather than after. An agent that proposes actions to an isolated, policy-enforced wallet carries a different risk profile than one that holds its own keys.
Setup | Where the risk actually sits |
Agent holds the private key directly | Any compromise of the agent is a compromise of the funds |
Agent and signer share one runtime | A flaw in the agent, or a tool it uses, can reach the signing path |
Signing is isolated, but permissions are unlimited | A manipulated agent can still authorize anything the wallet allows |
Signing is isolated, permissions are scoped, and transactions are checked before signing | A manipulated agent is bounded by policy, not by its own judgment |
A wallet built for a person assumes a human reviews each transaction before it's signed. An agentic wallet can't assume that: the same process that reads a token's metadata, a web page, or an API response may also be the process deciding what to sign next. How AI agents transact without touching your keys covers the full intent-to-execution lifecycle. What matters for security is where the agent's untrusted inputs and its transaction-signing authority are allowed to sit relative to each other and whether anything independent of the agent gets a say before a transaction lands onchain.
Prompt injection hides instructions inside content an agent is designed to read, such as a token description, a web page, an email, or an API response, rather than inside a conversation with the user. It matters more in a wallet context than most others: an agent that gets tricked into a bad email is inconvenient; an agent with signing authority that gets tricked can produce an irreversible transaction.
An agent that can read its own signing key, whether from a config file, an environment variable, or application memory, turns any compromise of that agent into a compromise of the funds it controls. Consider a February 8, 2026 incident in which Gitcoin's Owockibot exposed its own hot-wallet private key in multiple locations despite being instructed never to share it; losses were contained mainly because the wallet held only about $2,100. MetaMask Agent Wallet's server-wallet mode keeps keys inside a trusted execution environment the agent has no path into. A separate bring-your-own-wallet mode exists for developers who need local key control, and its documentation is explicit that the mnemonic should never be passed as a command-line argument, only through an environment variable, since command history and process lists are their own exposure path.
An agent scoped to check balances doesn't need the authority to approve unlimited token spending on any contract. When permissions don't scale down to the task at hand, one compromised or misled agent can act on the wallet's full authority instead of a narrow slice of it.
Some agentic wallets pair their security stack with reimbursement if something still goes wrong. Transaction Shield, MetaMask's subscription pairing Transaction Protection with priority support, reimburses up to $10,000 a month in mUSD for eligible transactions that clear MetaMask's security checks and still cause loss. It explicitly excludes losses from a compromised or leaked Secret Recovery Phrase or private key, ordinary market losses, protocol-level exploits, and peer-to-peer transfers. Reimbursement can absorb the outcome of a transaction that looked safe and wasn't.
MetaMask Agent Wallet's two operating modes change which controls apply automatically and which ones depend on the user catching a problem in real time. MetaMask's trading-modes documentation lists the guardrails each mode enforces before a transaction can proceed:
Guardrail enforced automatically | Guard Mode | Beast Mode |
Threat scanning on every transaction | Yes | Yes |
Network allowlist | Yes | No |
Address allowlist | Yes | No |
Token recipient allowlist | Yes | No |
Rolling 24-hour outflow limit | Yes | No |
Both modes still stop a transaction MetaMask's threat scanning flags as malicious or a contract it flags as risky, and both require 2FA approval before either kind proceeds. In Guard Mode, anything outside the configured allowlists or above the outflow limit also pauses for approval. In Beast Mode, it doesn't, because there are no allowlists to fall outside of. Beast Mode doesn't weaken malicious-transaction detection specifically; it removes the allowlist and spend-limit layer that would otherwise catch a legitimate-looking transaction the agent shouldn't have attempted in the first place
MetaMask's developer guidance for building agent-facing server wallets describes the general pattern: a signing key lives inside a trusted execution environment with no external networking and no persistent storage, the agent only ever holds a separate credential used to request a signature, and the enclave, not the agent, verifies the request, applies policy, and produces the signature. The agent proposes; it never possesses. MetaMask Agent Wallet's architecture applies that separation directly: in server-wallet mode, keys are managed inside a TEE the agent can't reach, while the user still retains self-custody and can export the underlying Secret Recovery Phrase. A request that needs approval enters an AWAITING_MFA state, and only the user's own MetaMask Mobile approval or email confirmation can move it forward, not the agent.
The agent's runtime cannot read or export the private key.
Signing happens in an isolated environment, not the agent's own process.
Spending is capped per transaction and on a rolling basis.
Contracts, networks, and recipients can be allowlisted rather than left open.
Every transaction is simulated and threat-scanned before it signs.
Policy limits are enforced outside the model. A system prompt is guidance, not enforcement.
Permissions can be revoked, or a session ended, immediately.
Flagged and completed actions are logged and auditable.
The setup has been tested against prompt-injection scenarios, not just expected prompts.
Any reimbursement coverage is understood for what it excludes, not just what it includes.
Agentic wallet vendors are converging on the same conclusion: the agent shouldn't be the security boundary. Where that boundary sits instead is what differs.
Where the boundary sits | Example | Main tradeoff |
Hardware plus mandatory human confirmation | Ledger's "agents propose, humans sign" model | Strong oversight, but every action needs a person present |
Infrastructure-enforced policy and screening | Coinbase's programmatic spending limits and KYT screening | Fast to deploy; the provider's infrastructure stays in the trust path |
Self-custodial wallet with scoped, revocable permissions | MetaMask Agent Wallet's Guard Mode and Beast Mode | User keeps the exit path; policies must be configured deliberately |
Process-level isolation the agent architecturally can't reach | BlockSec's open-source Web3 Companion wallet | Strong containment by design; newer and self-hosted rather than a managed product |
For a full vendor-by-vendor evaluation across Coinbase, Cobo, Ledger, BitGo, and OKX, see Best agentic wallets in 2026, compared.
None of this makes an agent immune to manipulation. The realistic goal isn't a model that never gets fooled. It's a wallet where being fooled doesn't turn into unlimited financial authority, where the worst a compromised agent can do is bounded by a spend cap, an allowlist, and a signature it was never able to reach on its own.