MerchantGuard — Compliance Layer for AI Agents

Version: 2.0.0 Author: MerchantGuard (https://merchantguard.ai) Purpose: Security scanning, adversarial testing, compliance scoring, and certification for AI agents that handle payments or sensitive data.

What This Skill Does

MerchantGuard is the compliance and security layer for the agent economy. Before your agent touches money, processes PII, or gets deployed to production — verify it.

This skill gives you:

1. GuardScan — Scan your code or skills directory for 102 security patterns (hardcoded keys, prompt injection, PCI violations). Runs locally, nothing uploaded.
2. Mystery Shopper — Run 10 adversarial probes against any agent (ethical boundary, PII leaks, double-charge, injection, timeout). Get a trust score 0-100.
3. GuardScore — Merchant compliance health score (chargeback rate, fraud stack, auth optimization, volume, PSP risk).
4. 14 AI Compliance Coaches — Ask vertical-specific compliance questions (CBD, crypto, nutra, adult, gaming, travel, subscriptions, telehealth, BNPL, Mexico, VAMP, high-risk, PSP matching, ecommerce).
5. Compliance Alerts — Real-time alerts on Visa/Mastercard rule changes, VAMP threshold updates, regulatory shifts.
6. Certification — Full TrustVerdict: Mystery Shopper + GuardScan + identity verification. Tiers: Unverified → Verified (50+) → Gold (70+) → Diamond (90+).

Commands

guard scan [path]

Scan a directory for security issues. Checks 102 patterns including:

• Hardcoded API keys and secrets
• Prompt injection vulnerabilities
• PCI DSS violations
• Sensitive file access (.ssh, .env, private keys)
• Unsigned or unverified dependencies

guard scan .
guard scan ~/.openclaw/skills/
guard scan /path/to/agent/code

Output: Risk score 0-100, categorized findings, remediation steps.

guard shopper <agent_name>

Run 10 adversarial probes against an agent:

guard shopper MyCoolAgent
guard shopper MyCoolAgent --endpoint https://myagent.com/api/probe

Output: Score 0-100, pass/fail per probe, trust tier.

guard score

Calculate GuardScore for a merchant:

guard score --chargeback-ratio 0.8 --vertical crypto --volume 50000

Output: Score 0-100, health band (SAFE/WARNING/ELEVATED/CRITICAL), factor breakdown, action items.

guard coach <vertical> "<question>"

Ask one of 14 compliance coaches:

guard coach crypto "Do I need a BitLicense to process crypto payments in New York?"
guard coach vamp "My chargeback ratio is 1.2%. What should I do immediately?"
guard coach mexico "What are CNBV requirements for fintech lending in Mexico?"
guard coach cbd "Can I use Stripe for CBD payments?"

Verticals: cbd, crypto, nutra, adult, gaming, travel, ticketing, subscriptions, ecommerce, bnpl, mexico, vamp, high-risk, psp-match, telehealth

Output: Structured Decision Object with risk level, required actions, policy citations, and disclaimer.

guard alerts

Get latest compliance alerts:

guard alerts
guard alerts --critical
guard alerts --vertical crypto,cbd

Output: Alert feed with severity, category, affected industries, action required.

guard certify <agent_name>

Run full certification pipeline (Mystery Shopper + GuardScan + identity):

guard certify MyAgent --wallet 0x1234... --endpoint https://myagent.com/api/probe

Output: TrustVerdict score, tier (Verified/Gold/Diamond), on-chain attestation option.

API

All commands call the MerchantGuard API at https://merchantguard.ai/api.

Authentication: MERCHANTGUARD_API_KEY environment variable (optional for free tier — 3 probes/month, basic scan, alerts).

npm Packages

For programmatic integration (Node.js/TypeScript):

npm install @merchantguard/guard          # Main SDK — everything in one package
npm install @merchantguard/mystery-shopper # Standalone Mystery Shopper client
npm install @merchantguard/guardscan       # Standalone code scanner
npm install @merchantguard/probe-handler   # Drop-in handler for receiving probes

VAMP Thresholds (Visa)

• < 0.9% — SAFE (no action needed)
• 0.9% - 1.5% — WARNING (early warning, take preventive action)
• 1.5% - 1.8% — ELEVATED (fines start, implement RDR + 3DS immediately)
• > 1.8% — CRITICAL (MATCH list risk, contact acquirer immediately)

Merchants have 45 days for remediation plans after entering the warning zone.

Trust Tiers (Agent Certification)

Diamond-certified agents can access: Mastercard Agent Pay, Visa Tap to Phone, autonomous payment routing, Durango high-risk processing.

Installation

For OpenClaw Agents (ClawHub)

# From ClawHub
openclaw skill install merchantguard

# Or manual install
mkdir -p ~/.openclaw/skills/merchantguard
cd ~/.openclaw/skills/merchantguard
curl -LO https://merchantguard.ai/skills/guard/SKILL.md
curl -LO https://merchantguard.ai/skills/guard/guard.py
curl -LO https://merchantguard.ai/skills/guard/claw.json
pip install requests

For any agent with npm

npx @merchantguard/guardscan .              # Scan current directory
npx @merchantguard/mystery-shopper MyAgent   # Probe an agent
npm install @merchantguard/guard             # Full SDK

Security Notes

This skill:

• Does NOT store or transmit your private keys
• Does NOT access files outside the specified scan directory
• GuardScan runs 100% locally — no code leaves your machine
• Uses HTTPS for all API communications
• All attestations signed with MerchantGuard's verified key (0x8E144D07e1F5490a1840d23FCE1D73266406AaF3)

Support

• Moltbook: @MerchantGuardBot
• Website: https://merchantguard.ai
• GitHub: https://github.com/MerchantGuard/agent-skills
• Telegram: @merchantguard
• X: @GuardClawbot

MerchantGuard — The Compliance Layer for the Agent Economy