agentpass-skill
April 14, 2026 · View on GitHub
The first digitally-signed payment Skill for AI agents.
A Claude / Cursor / Cline / Zed / Claude Code compatible Skill that lets an AI agent make signed, identity-verified, trust-gated, sanctions-screened payments across every major agent payment rail:
x402 · Stripe · ACP · AP2 · MPP · Mastercard Agent Pay · Visa TAP · L402
Every payment is:
- Signed with
x-agent-trust(ECDSA P-256) — registered in the OpenAPI Extensions Registry and specified in IETF draft-sharif-agent-payment-trust - Screened against OFAC SDN + UK HMT (75,000+ sanctions entries)
- Trust-gated on L0–L4 agent behavioural score
- Recorded in a tamper-evident hash-chained audit trail
And — critically — the Skill itself is digitally signed so a conformant host can verify its authenticity before loading it into the agent's context. See SIGNATURE.md for the verification procedure.
Why skill signatures matter
Agent Skills have no built-in authenticity primitive. A malicious Skill that lands in a user's .claude/skills/ folder can inject arbitrary instructions into the agent's system prompt via the description field (OWASP AST04 Insecure Metadata / AST02 Supply Chain Compromise). A real-world incident — the "ClawHub registry" compromise — confirmed five of the top seven most-downloaded skills at peak infection were malware.
This Skill uses the Agent Skills spec's metadata extension point to embed an ECDSA P-256 signature over the canonical skill content. Hosts that verify the signature before loading gain tamper-evident supply-chain protection.
We are publishing this pattern as an open reference implementation and a PR to the Agent Skills spec proposing a first-class signature field.
Install
Option 1 — Claude Code plugin marketplace
/plugin marketplace add cybersecai-uk/agentpass-skill
/plugin install agentpass-pay@cybersecai-uk/agentpass-skill
Option 2 — Manual install
git clone https://github.com/cybersecai-uk/agentpass-skill.git
cp -r agentpass-skill/agentpass-pay ~/.claude/skills/
Option 3 — As a ZIP via claude.ai
Download agentpass-pay.zip from the releases page and drop into Claude Desktop's Skill upload.
Verify before you trust
Before using the skill in production, verify the signature:
git clone https://github.com/cybersecai-uk/agentpass-skill.git
cd agentpass-skill
node verify.js
Expected output:
VERIFIED agentpass-pay/SKILL.md
keyid : cybersecai-skill-2026-04-14
signedAt : 2026-04-14T...
digest : sha256:...
publisher: did:web:cybersecai.co.uk
Exit code 0 on verified. Non-zero otherwise. See SIGNATURE.md for the canonical verification procedure and host-integration hooks.
Requires a payment-execution tool
The skill teaches the agent to call one tool: agentpass_pay. That tool ships with either:
- MCP server:
agentpass-demo-mcp— free Apache 2.0, hosted-API-backed, good for evaluation - Commercial SDK:
@cybersecai-uk/agentpass-sdk— BSL 1.1, runs locally with bundled sanctions/trust/rails, required for production
Without one of these wired into the host, the Skill has nowhere to execute. Install the MCP server or the SDK first, then install this Skill.
Related
- Spec: agentskills.io/specification
x-agent-trustreference: github.com/cybersecai-uk/x-agent-trust-referenceagentpass-demo-mcp: github.com/cybersecai-uk/agentpass-demo-mcp- OWASP Agentic Skills Top 10: owasp.org/www-project-agentic-skills-top-10
- OWASP MCP Security Cheat Sheet Section 7: cheatsheetseries.owasp.org
- IETF
draft-sharif-agent-payment-trust: datatracker.ietf.org
Publisher
CyberSecAI Ltd · UK company · contact@agentsign.dev
Raza Sharif, FBCS, CISSP, CSSLP. Published author, Breach 20/20.
Licence
Apache License, Version 2.0. See LICENSE.