Base MCP plugin expansion turns agent tool access into KYA evidence
Base's June 23 MCP skill expansion moves onchain agents from simple wallet proposals toward a wider execution surface: swaps, NFT actions, token launches, gift cards, AI inference, yield vaults, and x402 payments.
Daily signal: Discord tech-intel channel 1468032405695627386 could not be read through the local OpenClaw gateway during this run because the read command timed out after 10 seconds. Web verification surfaced Base's official X post listing 13 new MCP project skills, CryptoAdventure coverage of the expanded plugin surface, Chainalysis x402 adoption data, ValueTheMarkets coverage of 0x agent-facing liquidity access, and SecurEnds analysis of AI-agent identity risk. These are product, market-structure, and security-governance signals, not a formal Know Your Agent rule.
Why this matters for KYA
Base MCP already made the wallet approval screen a control point for agent-prepared actions. The new signal is breadth. Base's official post listed 13 projects integrating new MCP skills, including yield, Venice, KyberNetwork, OpenSea, o1.exchange, Balancer, Printr, Bitrefill, Flaunch, Clawnch, Hydrex, Brickken, and GMGN. Coverage described agent routes into trading, liquidity, NFT markets, token launches, private AI inference, commerce funded by USDC, yield vault activity, and x402 payments.
That turns KYA into a tool-access file, not only a wallet file. A finance agent that can check balances is materially different from one that can select a swap route, buy an NFT, list an asset, launch a token, purchase a gift card, deposit into a vault, or pay an API endpoint. Even when every write action still needs user confirmation, the review file must show what the agent was allowed to prepare, which plugin it selected, what parameters it used, and whether the user approved or rejected the action.
The same direction is visible outside Base. Chainalysis says x402 payment activity on Base has crossed 100 million cumulative transactions through Q1 2026, with $1-plus transactions now representing 95% of value transferred. ValueTheMarkets reported that 0x is making liquidity aggregation easier for AI agents through wallet-paid API access and agent-focused documentation. These signals make tool scope, payment scope, and settlement evidence first-class KYA fields.
Screenshot-ready KYA compliance comparison table
| KYA dimension | Weak onchain-agent posture | KYA-ready onchain-agent posture | Evidence reviewers should expect |
|---|---|---|---|
| Operator identity | The agent, wallet, MCP client, plugin, protocol, and human user are collapsed into one account label. | The file separates agent builder, operator, controller, wallet owner, MCP server, plugin provider, protocol counterparty, and accountable human reviewer. | Agent registration, Base Account owner record, MCP server ID, plugin inventory, developer or operator KYB, accountable owner, escalation contact. |
| Agent mandate | The user gives broad prompts such as trade, buy, earn yield, launch, or pay without pre-defined action classes. | The mandate distinguishes read, quote, prepare, swap, bridge, list, mint, launch token, buy gift card, run inference, deposit, redeem, and x402 pay. | Mandate text, action-class matrix, asset and protocol allowlists, merchant or endpoint scope, spend and position caps, expiry, approval mode. |
| Wallet and custody | The wallet review step is treated as enough evidence, with little record of what the agent prepared before approval. | Wallet authority is scoped by asset, chain, plugin, action, spend limit, custody boundary, payment rail, and revoke path before any proposal reaches signing. | Wallet policy, session scope, proposed transaction payload, simulation output, approval or rejection receipt, transaction hash, revoke test. |
| Tool and venue access | All MCP skills are treated as generic tools, even when they touch swaps, NFTs, token launches, payments, AI inference, or vaults. | Each tool is classified by execution risk, value movement, market exposure, data exposure, third-party dependency, and jurisdiction sensitivity. | MCP skill list, plugin risk tier, API-key or wallet-permission scope, protocol allowlist, parameter schema, rate limit, kill switch, venue notice process. |
| Audit trail | Logs keep transaction hashes but do not connect prompt, tool choice, quote, policy check, wallet review, settlement, and exception handling. | Every action links prompt or intent, mandate version, selected plugin, parameter set, price or quote, policy decision, user confirmation, settlement artifact, and reconciliation status. | Intent record, MCP call log, quote record, simulation, policy decision, wallet approval receipt, x402 receipt, transaction hash, settlement status, exception log. |
| Security and abuse | The agent can discover and call powerful plugins without enough controls for prompt injection, malicious routes, stale approvals, toxic permissions, or repeated retries. | Controls include least-privilege plugin access, fail-closed policy, route screening, prompt-injection tests, short-lived credentials, anomaly alerts, human gates, and emergency disablement. | Threat model, prompt-injection test, malicious-plugin scenario, route-screening log, short-lived credential policy, anomaly alert, revoke receipt, incident runbook. |
| Jurisdiction fit | Plugin actions are launched globally without mapping payment, custody, trading, NFT, token-sale, consumer-protection, data, or sanctions exposure. | The KYA file maps each action class and payment rail to market availability, customer disclosure, licensing dependency, stablecoin policy, AML/KYT monitoring, and blocked-market rules. | Jurisdiction matrix, blocked-market list, stablecoin and sanctions policy, trading or token-sale review, consumer disclosure, data-transfer map, complaint path. |
The compliance lesson
The key design question is no longer whether an AI agent can hold a private key. In many account-abstraction and wallet-review models, the agent prepares actions while the user signs. The hard compliance question is whether the agent's preparation layer is governed. Tool choice, route selection, quote parameters, asset eligibility, merchant selection, payment endpoint, retry behavior, and vault entry can all create risk before the final wallet click.
That is why KYA should classify MCP skills as execution-capable venues when they can move value, alter market exposure, access paid resources, or change custody posture. A generic plugin registry is useful for discovery, but a finance-grade KYA file needs per-tool scope, per-action mandate, transaction evidence, and jurisdiction review.
Practical KYA checklist
- Inventory every MCP skill and classify it as read-only, quote-only, prepare-only, execution-capable, payment-capable, custody-relevant, or market-exposure-relevant.
- Require a mandate for each action class before enabling swaps, NFT actions, token launches, gift-card purchases, AI inference payments, vault deposits, redemptions, or x402 requests.
- Log the selected plugin, input parameters, quote, simulation, wallet review outcome, x402 receipt if any, transaction hash, and reconciliation status.
- Separate plugin discovery from plugin execution so an agent cannot silently choose a high-risk venue when the user asked for a broad outcome.
- Test prompt injection, stale sessions, malicious routes, over-cap payment attempts, unsupported jurisdictions, blocked assets, and revoke-after-compromise scenarios.
- Preserve evidence that no regulator, exchange, or payment network has been represented as adopting formal KYA unless a source explicitly says so.
Bottom line
Base MCP's expanded skills show how fast the agent surface can grow once wallet review, MCP tools, and onchain payment rails meet. KYA should follow the risk surface, not the label. If an agent can prepare a swap, launch a token, buy a service, list an NFT, pay an endpoint, or enter a vault, reviewers need evidence for who authorized it, which tool was used, what the tool could do, how the action was constrained, and how settlement or rejection was proven.
Sources reviewed: Base official X post on 13 new MCP project skills; CryptoAdventure coverage of Base MCP skill expansion; Chainalysis analysis of x402 agentic payment adoption; ValueTheMarkets coverage of 0x agent-facing liquidity access and AgentPay; SecurEnds analysis of AI-agent identity risk. These are product, market-structure, and security-governance sources, not claims that any regulator, exchange, or payment provider has adopted a formal Know Your Agent rule.