Discussion: runtime preflight skill for Bankr wallet actions (companion to PR #388)

[opengrid1]

Opening this as a discussion alongside #388 so the Bankr team has a non-code thread to weigh in on scope, naming, and how this layer should sit beside existing controls.

TL;DR

• Live, public, rate-limited preflight endpoint: POST https://fleet-watcher.replit.app/api/bankr-guard/inspect
• npm package: fleet-watcher-bankr-guard (wraps fetch, fail-closed, never sees the bk_ key)
• PR adding it as an installable skill: Add fleet-watcher: runtime prompt-injection + wallet-hijack preflight #388
• Try-it page with four canned attacks: https://fleet-watcher.replit.app/bankr
• Source (MIT): https://github.com/Goblin-rush/fleet-watcher

Why this complements aeon-skill-security-scan
aeon-skill-security-scan catches malicious skills statically. It cannot catch the chain where every installed skill is clean but one obeys an instruction smuggled in via fetched content (tweet, RSS, DM, on-chain memo). That chain ends in a wallet drain. Fleet Watcher closes it by inspecting the proposed wallet action synchronously, before it reaches api.bankr.bot.

What gets blocked (live-verified)

• Override-prior prompt injection (NFKC-normalised + unicode-escape decoded so \u0069gnore-style evasion doesnt help)
• Fake Bankr domains from Bankr own security docs (bankr-claim.xyz, bankrbot.io, bankr-airdrop*, …)
• Unlimited token approvals
• EIP-712 / permit / permit2 / signTypedData originating from fetched content
• Pause-then-drain and control-bypass language
• Leaked bk_ keys appearing inside untrusted content
• Intent mismatch (visible prompt = read, proposed action = write)
• Destinations on the maintained public drainer feed (scam-sniffer + MEW darklist, refreshed every 6h)

Each BLOCK includes a remediation line that mirrors Bankr own incident-response order: Pause → Revoke → Rotate → Audit → Unpause.

Security properties

• Read-only. Fleet Watcher never sees the agent bk_ key.
• Matched substring is operator-visible in evidence but never echoed in the public reason field — no reflected-secret risk.
• Rate-limited: 600 req/min global + 30 req/min per distinct payload fingerprint, 16 KB body cap. Per-IP avoided deliberately (shared proxies collapse them).
• ALLOW verdicts are not persisted server-side; only BLOCK is.
• Fail-closed by default in the SDK.

What wed like from the Bankr team

1. Adversarial review of the pattern library and public endpoint.
2. Decision on merging Add fleet-watcher: runtime prompt-injection + wallet-hijack preflight #388 so the skill is installable through the standard catalog.
3. A pointer from Bankr own security docs would reach every agent dev who reads them.
4. Optional: co-maintain the drainer-feed allowlist.
5. Optional: an x-bankr-verified response header on api.bankr.bot would let the SDK detect spoofed upstreams.

Threat model: https://github.com/Goblin-rush/fleet-watcher/blob/main/threat_model.md

Happy to iterate on naming, scope, or pattern coverage. Everything MIT — if you would rather fork and host internally, the self-host instructions are in the README.