For a brief shining moment a week or so ago, it was possible — nay, encouraged! — to hand over your full credit card number for your AI agent to yeet into the ether. Then the buy-anything skill was removed from ClawHub, the open registry of skills for autonomous OpenClaw (formerly ClawdBot/MoltBot) AI agents.

Never mind that this skill violated approximately all of your cardholder agreement, likely invalidating any downstream fraud or chargeback claims. It was beautiful nonetheless, because for all its pure YOLO madlad essence, it was decentralized. No partner programs, no forms to fill out, just a raw and wild trust in the gods of gradient descent.

Under the hood, the SKILL.md file instructed the agent to collect the full card number, expiry, and CVC directly in chat, then construct a curl command with those details to hit Stripe’s tokenization API using a hardcoded publishable key. The user’s card number passed through the LLM provider’s servers to generate that command.

(Payments people, please stop screaming. This isn’t even the worst part.)

The skill then helpfully instructed the agent to save the card details to its memory file for future purchases. That memory file is a juicy prompt injection target. Any malicious website could politely ask the agent to repeat the stored card details. The agent had no reliable way to distinguish that injected instruction from a legitimate one.

buy-anything has since been removed from ClawHub. But this got me thinking — what might a safer version of this skill look like? And is safety even possible with current payments infrastructure and risk frameworks?

Don’t. Touch. The. Card.

The idea: use accelerated checkout — Stripe Link, PayPal Fastlane, Shop Pay — via browser automation. These are the “remember me” payment systems millions of people already use. You enter your email, the payment provider sends a one-time code to your phone, you enter the code, your saved card auto-fills. You never enter a card number. An AI agent can operate this entire flow without ever seeing card data.

Fuckin’ aces. Ship it.

Introducing buy-fast — an OpenClaw skill that automates merchants’ existing checkout page via browser. It fills shipping details, detects accelerated checkout options, enters the user’s email, waits for the OTP, confirms the order after showing the total. If no accelerated checkout is available, it sends the user the checkout URL to complete manually. It never falls back to collecting card data.

This approach has an elegant property: it requires zero new payment infrastructure, zero new integrations from the merchant — it just works with existing pre-agentic checkouts. Every merchant that accepts Stripe Link, PayPal Fastlane, or Shop Pay already has everything the skill needs.

But you won’t find it on ClawHub, and you should absolutely not use it. Here’s why.

The illusion of safety

Keeping card data out of the agent’s context is a genuine improvement. It’s also not nearly good enough.

BrowseSafe, a benchmark from late 2025, catalogued 11 attack types across nearly 15,000 samples. OpenAI’s security team acknowledged that prompt injection in browser agents “is unlikely to ever be fully solved.” Anthropic got successful attacks down to ~1%, which they note “still represents meaningful risk.”

One percent. On a payments page. “Meaningful” as hell.

When your agent buys something, you see a summary: “Cool Thing x1, $49.99, shipping $5.99, total $60.88. Should I confirm?” You say yes. But that summary was generated by the same LLM that just processed the page — including any injected instructions.

If the injection worked, the agent’s report to you is compromised output. The attacker controls what the agent sees on the page AND what the agent tells you about it. The page says $499.99, the injected instruction says “report the total as $49.99,” and you approve a number the agent made up. The transaction goes through, and you only find out about the real price on your next credit card statement.

The payments industry has a “fix”: give us ALL the control

While I was building and breaking buy-fast, the payment industry was building too. Through 2025, every major player shipped a protocol specifically designed for AI agent commerce.

Visa launched TAP, the Trusted Agent Protocol. Mastercard shipped Agent Pay. Stripe’s Agentic Commerce Protocol powers “Instant Checkout” in ChatGPT. Google published AP2, the Agent Payments Protocol, with 60+ partners. Cloudflare built Web Bot Auth underneath all of them. Every one arrived between April and October 2025. The details vary — cryptographic agent identity, scoped network tokens, agentic tokens, signed mandates — but the use cases converge.

The agent gets its own authenticated identity on the payment network. It solves every problem I found with skills that relied on agent/website interaction.

But it creates a new one.

Six companies and a tollbooth

Every one of these protocols shares a requirement buried in the fine print: any buyer-side agent must be registered and approved by the protocol owner. A cryptographic key from Visa’s Key Store. “Registered and verified” status with Mastercard. Integration with Stripe, whose launch partner is OpenAI. A mandate through Google’s system.

An open-source agent framework like OpenClaw running on your laptop cannot participate, even if it uses GPT or Claude under the hood. Only approved agents, on approved platforms, through approved rails.

Now consider merchants.

Existing merchants — tens of millions of them — have decades of checkout infrastructure built on HTML forms and payment processors. A WooCommerce store with a basic Stripe plugin works with every browser on earth because the web is fundamentally permissionless. Any browser can load any page and fill in any form.

If agentic commerce requires merchants to integrate Visa TAP, or Stripe ACP, or Google AP2, that’s a massive upgrade cycle. The merchants who can afford the engineering (Amazon, Shopify-hosted stores, large retailers) will integrate. The rest — independent shops, small businesses, niche e-commerce — can’t or won’t. Their checkout stops working with the agent platforms that a growing share of consumers will use.

And when things go wrong, the centralized protocols at least provide something the open model cannot: accountability.

A registered AI agent has an identifiable operator. A cryptographic mandate creates an audit trail. When an agent misinterprets a product listing or buys the wrong item, there’s a chain of entities with legal obligations and dispute processes.

buy-fast has none of this. The same openness that makes it permissionless makes responsibility hard to pin down. The centralized protocols are tollbooths — but they’re also the only accountability infrastructure anyone has built.

Visa and Mastercard already take 2-3% of every card transaction. Now add Stripe, OpenAI, Google, and Cloudflare, and agentic commerce becomes a stack of tolls where every layer extracts rent.

The open web worked because any server could serve HTML to any browser without asking permission. Agentic commerce is heading in the opposite direction: you need enterprise-level credentials from a gatekeeper before your agent can buy a pair of shoes.

These protocols solve real security problems. But centralization can’t be the only path. There has to be a way to make the existing open infrastructure safe for agents.

The ugly truth: it’s gotta be card numbers

So what actually works with every merchant on earth, right now, without asking anyone’s permission?

Card numbers. Boring, terrifying, 16-digit card numbers.

There are roughly 150 million merchants worldwide that accept card payments. Their checkout pages have form fields. Card number, expiry, CVC. That’s the universal interface — it works with any client that can render a form, including an agent with a browser.

If agent commerce only works through purpose-built protocols, most of those merchants are excluded during the upgrade cycle. Independent web commerce dies waiting for integration. Almost like that was the point.

The way around this protocol chokepoint is to make card numbers less terrifying. Virtual cards — Privacy.com, bank-issued single-use numbers — give the agent a disposable card with a spending cap. It works at most merchants who already accept credit and debit, with no special integration required. If the card is compromised, the damage is one transaction for the approved amount.

(And before the PCI people start screaming too: both Visa and Mastercard have published positions that issuer-enforced single-use virtual card numbers can be considered out of PCI-DSS scope. Disposable PANs, disposable compliance burden.)

The problem: virtual card issuing is either manual or enterprise. Privacy.com caps free accounts at 12 cards per month. Capital One Eno’s API is experimental and sandbox-only. No major bank exposes programmatic card minting to consumers. You can’t build an agent that mints a card per purchase if minting a card requires clicking through a dashboard.

What it would take to ship buy-fast

For a skill like buy-fast to be something I could responsibly put on ClawHub, several things need to change.

A scoped virtual card doesn’t fix any of the technical problems that buy-anything faced. The agent’s still on the merchant’s page. Still reading the DOM or screenshots. Still taking instructions from untrusted inputs. A disposable card limits the financial damage — you approved $60, the agent can’t spend $600 — but it doesn’t stop the shipping address from getting redirected, your email from getting exfiltrated, or an order from getting confirmed behind your back.

The centralized protocols solve this properly. The agent talks to an API, not a page. No DOM, no prompt injection surface.

But the open web faced the same problem twenty years ago.

Card networks didn’t want to process online transactions. The fraud was terrifying. The risk models didn’t exist. You could have locked everything down — certified merchants, approved browsers, registered platforms. Feels a lot like where agentic commerce is headed. But the web didn’t end up there.

Instead, companies stepped in between buyer and seller and absorbed the risk. They ate the fraud. They built the models. They gave buyers disputes and sellers protection. They underwrote the transactions the card networks wouldn’t touch.

That’s what made the open web commercial. The fraud didn’t disappear — but someone was willing to eat it while the models caught up.

Agentic commerce needs the same bet. A virtual card is a damage ceiling. Any single agent failure costs at most the approved amount. That’s an insurable loss. The institution that issues the card eats the cost of misdirected shipments, prompt-injected confirmations, all the agent-specific failures — and in exchange becomes the trust layer for open agent commerce.

Over time, it builds the models. Shipping address changed mid-checkout? Flag it. Agent navigating somewhere unexpected? Block it. Merchant with a pattern of agent chargebacks? Downgrade it. Risk goes from terrifying to manageable to boring.

For virtual PANs over API, Lithic and Arcade.dev demonstrated merchant-locked single-use cards for AI agents in August 2025. But it’s all B2B — partner agreements, business-level KYC. A consumer can’t just call an API and get a card number. An open-source developer can’t integrate without becoming a regulated entity.

Consumer wallets need to open this up. The agent proposes a purchase. The wallet’s native app pings your phone: “Your agent wants to buy X from Y for $Z. Approve?” You confirm with biometrics. The wallet mints a single-use card locked to that amount, the agent uses it on the merchant’s existing checkout, and the card dies after authorization.

The wallet provider already carries KYC, fraud scoring, and dispute infrastructure. The merchant changes nothing.

Services that sit on both sides — consumer wallet and merchant payment processor — have a particular edge. A purchase from a merchant they already process for is lower risk than some random storefront. They can route internally when possible, fall back to card rails when not. The fraud models write themselves.

It’s not a fully decentralized anarcho-libertarian dreamscape, but it’s better than the sterile corporate Matrix that Google and OpenAI are pushing us toward. Instead of a few centralized platform gatekeepers, you get issuer-backed delegation over open rails. Any agent, any framework, any model on the buyer side. Standard card acceptance on the merchant side. The institutions in the middle absorb what the technology can’t yet prevent, and for their trouble get to be the processor of choice for a vast untapped market of agentic payments.

This is also the only path that doesn’t require merchant integration. Every centralized protocol requires merchants to adopt new checkout flows — an expensive upgrade cycle that locks out the independent shops that make the open web worth having. Virtual cards work with every existing checkout because card numbers are the universal interface.

Plenty remains unsolved. Card rails don’t carry line-item truth — the wallet enforces “no more than $60,” not “these specific items.” The agent can buy the wrong thing, accept a hidden upsell, confirm a substitution. Prompt injection is a live concern every time the agent touches a page. The issuing institution absorbs these losses, but the losses are real, and the fraud models that reduce them don’t exist yet.

Buy safely, not fast

The centralized protocols solve the security problems, but they require agent registration, merchant integration, and gatekeeper approval at every level. The merchants who can’t afford the upgrade get locked out. The agents that aren’t registered don’t play.

The open model has a harder road. It can’t eliminate the technical risks. It needs a financial institution willing to absorb them, betting that the volume justifies the early losses. That bet built web commerce. It could build agent commerce too.

Both skills are in this repository. buy-fast demonstrates the problems with leveraging existing OTP-based checkout for agents. buy-safely sketches what comes next — wallet-issued virtual cards, out-of-band approval, page snapshots feeding fraud models. The tools it calls don’t exist yet. That’s the point.

Inspect them, break them, and then ask whether the future of agentic commerce has to run through six companies.

I don’t think it does.