agent-walletlisted

# ChainGPT Agent Wallet Skill The agent has its own EOA wallet on every EVM chain it supports. The admin (you, in your shell) sets policies that the agent cannot violate or revoke — even if a malicious prompt convinces the LLM to try. ## Threat model **The attacker's goal:** prompt-inject the agent to drain its wallet to an attacker address. **The plugin's defense:** the policy check is in **code, not in the LLM's prompt**. Every `chaingpt_agent_wallet_sign_and_send` call: 1. Loads the policy file fresh from disk (no caching — admin can update mid-session). 2. Runs `checkPolicy(intent)` — pure deterministic code that doesn't see the LLM's context. 3. Refuses if any rule fails, with a clear reason the agent surfaces back to the user. The attacker can convince the LLM to call `sign_and_send(to=attacker, value=ALL)` — but the tool layer refuses because `attacker` isn't in `allowedToAddresses` or `value` exceeds `maxTxValueWei` or `killSwitch=true`. **The trust boundary is the tool code, not the LLM.** There is no MCP tool that writes the policy file. The admin edits it directly with a text editor. There is no MCP tool that reads or sets the passphrase. The passphrase lives only in the shell env var **or** the OS keychain — never in the keystore file, never in the LLM's context. ## Setup (admin steps — done once) The keystore passphrase resolves in this priority order: 1. **`CHAINGPT_AGENT_WALLET_PASSPHRASE` env var** — explicit override. Best for CI / headless / power