Frisk

Pre-transaction risk screening for autonomous AI agents.

Before your agent pays an x402 seller or calls an unfamiliar tool, ask Frisk whether the counterparty is trustworthy and whether the transaction fits your policy. You get a verdict — allow, review, or block — with a trust score and human-readable reasons. It's advisory: your agent stays in control of the decision.

View on GitHub Read the threat model $ npm i frisk-screen

Screen the transaction, then decide

One call before your agent pays. Lite mode runs entirely on your machine with zero runtime dependencies — no network call, no service to trust.

import { Client } from "frisk-screen";

const client = new Client(); // lite mode, no API key

const result = await client.screen(counterparty, {
  endpoint: "https://api.seller.x402/quote",
  amount: 2.5,
  asset: "USDC",
  observedPayTo: quote.payTo,        // what the endpoint actually asked us to pay
  policy: { maxPerCall: 5.0, allowedAssets: ["USDC"] },
});

if (!result.allowed) {
  // result.verdict   -> "review" | "block"
  // result.reasons   -> ["payTo differs from the expected counterparty"]
  // your agent decides what to do — Frisk never moves funds itself
}

What lite mode checks

Deterministic, offline checks that close the x402 attacks you can close in your own process — before a single token moves.

payTo swap

Dynamic destination

Flags when the payTo an endpoint returns differs from the counterparty you intended to pay — the x402 V2 address-swap attack.

policy

Spending limits

Per-call ceilings and an asset allowlist, enforced deterministically. Stops an agent from silently paying whatever a malicious 402 quotes.

transport

Insecure endpoints

Refuses to act on a payment address that arrived over plaintext HTTP, where anyone on the path can rewrite it.

sanity

Malformed counterparty

Catches addresses that aren't well-formed — usually a bug or a probe, and never something you should pay.

blocklist

Local seed blocklist

A blocklist check that runs offline. The live, continuously updated list is part of the hosted service.

Lite vs. hosted

Lite catches the structural problems locally. Reputation history and threat intelligence need data that can't live on your machine — that's the hosted service, and it's honest about the difference.

	Lite (default)	Hosted (API key)
Runs	Locally, offline	Frisk API
Signals	Public, structural checks	Reputation graph, trained models, threat feed
Confidence	Always `low`	Rises with coverage
Cost	Free, MIT	Usage-based

The hosted tier is in early access. If you need reputation-backed verdicts, email support@tryfrisk.dev for a key — lite mode stays free and MIT either way.

Design principles

Advisory, not in-path

Frisk never holds your funds or blocks a payment itself. It returns a verdict; your code decides.

Zero runtime dependencies

The TypeScript SDK builds on platform fetch (Node, Bun, Deno, Workers, browser). The Python SDK uses only the standard library.

Typed, in both languages

Identical model in TypeScript and Python: a Client with one screen() call, fully typed.

Get started on GitHub