ZapBot is designed so write paths are explicit, session-bound, and reviewable.
Threats addressed
- Hallucinated token, chain, or amount details
- Prompt-level leakage of private keys
- Unconfirmed write execution
- Untracked runtime side effects
Key defenses
metadata.accountInfo is required, but only safe fields are injected into prompt text:
blockchainchainuser_account
private_key is excluded from prompt context.
Confirmation before interactive actions
| Class | Examples | Confirmation |
|---|
| Read | BalanceTool, PriceTool, PoolTool | no |
| Interactive | PerformZapTool, ChangeChainTool | yes |
Session-bound execution data
PerformZapTool executes only previously generated session route data and clears cached zap state after completion.
Full traceability
Session history includes metadata, conversation timeline, and structured tool logs.
Embedding guidance
- Keep read-only and execution-capable interfaces separate
- Require explicit confirmation in user-facing execution flows
- Use dedicated low-risk wallets in test environments
- Log and review all execution-sensitive tool outputs
Avoid
- Running write-capable flows without user confirmation
- Treating model text as final transaction truth without tool validation
- Storing long-lived hot keys in unattended runtime processes
Incident response basics
- Capture
sessionId and session history snapshot
- Inspect structured tool logs and execution response
- Verify on-chain receipts from transaction summary links
Last modified on May 26, 2026
