The agent proposes, you approve on your Ledger. VaultPilot MCP is built for the realistic case where the AI, the MCP server, or your computer can be compromised — only your hardware wallet is trusted, and every transaction is cryptographically bound across every layer so tampering produces a visible mismatch on the device screen.
An end-to-end Solana send: the agent prepares the transaction, you match the message hash on the Ledger device, and approve. Whatever the agent claims it's doing, the Ledger screen is the source of truth.
An AI agent that holds your private keys is a private key on the internet. An AI agent connected to your wallet through an MCP server is the same problem in slower motion — a malicious prompt, a hijacked tool call, or a compromised dependency can quietly rewrite a recipient address or smuggle in an unbounded approval, and a software wallet has no independent eyes on what gets signed.
VaultPilot draws the trust boundary at the only place that really holds: the hardware wallet's screen. Every transaction the agent prepares is rendered to you in human-readable form, then re-rendered on the Ledger device itself. If anything between the two has been tampered with — a swapped recipient, a different chain, an inflated amount — the device shows you bytes that don't match what you asked for, and you reject before signing.
Portfolio totals, lending positions, staking balances, LP positions, swap quotes across EVM, TRON, and Solana — all read-only via your configured RPCs. No signatures, no key access.
VaultPilot MCP prepares the transaction bytes, computes a payload-hash fingerprint, and decodes the calldata via its local ABI registry. Returns the structured view plus an opaque handle.
The agent cross-checks the function selector against 4byte.directory, re-derives the pre-sign hash, and renders a verification block. Any layer mismatch aborts before the device prompt.
EVM via Ledger Live over WalletConnect; TRON and Solana via direct USB. The device clear-signs known protocols and blind-signs the rest with a hash matching the agent's preview.
VaultPilot assumes the AI agent, MCP server, and host computer can all be compromised. Single-layer attacks are caught by overlapping checks; coordinated multi-layer attacks are narrowed by every layer that still works.
| Chains | Ethereum, Arbitrum, Polygon, Base, Optimism (EVM via Ledger Live + WalletConnect); TRON and Solana via Ledger USB HID. |
|---|---|
| Lending | Aave V3, Compound V3, Morpho Blue (EVM); MarginFi (Solana); Kamino in flight. |
| Staking | Lido, EigenLayer (EVM); TRON Stake 2.0; Marinade, Jito reads, native SOL delegation (Solana). |
| LP / Swap | Uniswap V3 LP positions; LiFi-aggregated EVM swaps and EVM↔Solana cross-chain bridges; Jupiter v6 on Solana. |
| Sends | Native + ERC-20 on EVM; native + TRC-20 on TRON; SOL + SPL on Solana with durable-nonce protection. |
| Risk tooling | Liquidation alerts, contract verification, privileged-role enumeration, DefiLlama-backed protocol risk score, market incident scan. |
Three install paths — pick whichever matches your setup. The full step-by-step is on the dedicated install page; the short version:
npm install -g vaultpilot-mcp
vaultpilot-mcp-setupThe setup wizard handles RPC configuration, optional API keys, and detects Claude Desktop, Claude Code, and Cursor on your machine to register itself in their MCP-server config automatically. See the full install guide →
Hardware-verified does not mean infallible. VaultPilot's threat model is documented openly in SECURITY.md, including the cases the layered defenses can degrade against — coordinated agent + server compromise on a blind-sign chain, a fully owned Ledger Live host swapping the WalletConnect session, oracle drift on lending markets. The point of writing it down is that you can decide what you trust before approving a 6-figure send, not after.
Software wallets and Ledger live in different security tiers. Software-wallet support is on the roadmap (MetaMask Mobile via WalletConnect) and will be clearly labelled as the weaker anchor — the existing pre-sign defenses still apply, but the on-device cryptographic binding does not.
Questions, security disclosures, integration requests — drop a line.