How Do Stranger Agents Trust Each Other? w/ Billions

rep_hq avatar
REP
@rep_hqMar 26, 2026

The Spaces convened Danny (host), Joanna (Billions Network), Alex (True North) and Rahul (LI.FI) to examine where agent-to-agent systems fail today and how to build trust rails for autonomous coordination. The panel identified accountability gaps when agents act without verifiable links to human owners, widespread prompt-injection and malware risks in skill stores, and heightened exposure when agents hold credentials and access untrusted data. Joanna detailed Billions’ privacy-preserving identity layer (ZK-anchored DIDs) that ties agents to real humans and enables circuit breakers and portable reputation. Rahul described LI.FI’s agent-ready liquidity infrastructure (bridge/DEX aggregation, skills, hosted MCP) and stressed verifying identity and data provenance. Alex outlined True North’s AI trading stack, the dangers of credential leakage and context contamination, and the need for sandboxed, minimal-privilege architectures while humans remain in the loop. The group debated agent credit scoring vs. human credit, agreeing agent signals are faster and more dynamic and must anchor to identity. Looking ahead, they expect trusted rails to unlock scale, capital efficiency, permissionless access, and portable, self-sovereign trust across ecosystems. The session closed with pragmatic advice: start small, fight AI FOMO, use isolated environments, and incrementally grant capabilities as you learn.

AI agents as economic actors: trust, identity, and coordination

Participants and roles

  • Danny (Host, Rep team)
  • Joanna (Ecosystem Partnerships Lead, Billions Network)
  • Rahul (Head of AI, LI.FI)
  • Alex (Co‑founder, True North)

Context and opening

  • Danny framed the session around a fast-emerging reality: AI agents are becoming economic actors—trading, bridging, executing, analyzing—yet coordination and trust between previously unconnected agents remains unsolved.
  • Recent industry news touted a “stablecoin chain for agents” enabling agent payments—underscoring that rails for agent economic activity are arriving, while trust layers lag.
  • Goal of the roundtable: identify the current failure points; share in‑flight solutions from three different angles (identity/trust, liquidity/infra, trading/UX); explore what a solved future unlocks; and offer advice to builders and users.

Product snapshots and credibility

  • Billions Network (Joanna)
    • Positioning: privacy-preserving identity and trust layer for humans and AI agents.
    • Capabilities: verify real, unique humans and attributes (age, jurisdiction); verify AI agents are legitimate and linked to a verified human.
    • Traction: 2.3M+ verified users across multiple chains; recently launched a Verified Agent identity skill on Open Claw/Claw Hub; now the # 1 identity skill on Claw Hub with ~8,000 agent↔human pairings.
  • True North (Alex)
    • Product: “AI TradingView experience”—confluence of multi‑source data and personalization to help aspiring/discretionary traders see what “good” looks like and trade better.
    • Status: beta (referral‑only); fast growth with partnerships; willing to share invite codes.
  • LI.FI (Rahul)
    • Role: leading bridge and DEX aggregator—swap infrastructure spanning 20+ chains and their DEXs; any liquidity, any chain.
    • Agent enablement: API is agent‑ready; skills live on skill stores (Claw Hub, skills.sh, etc.); hosted MCP (Model Context Protocol) server to make agent access to cross‑chain liquidity easy.

Where current agent systems break

  • Accountability gap (Joanna)
    • Without verified identity linking an agent to a human owner, there’s no one to hold responsible when an agent misroutes funds or executes a bad trade.
    • Case study: Air Canada’s chatbot provided incorrect information; the company tried to disclaim responsibility, but the court held it fully liable—establishing a precedent that agents’ actions can be legally attributable to operators.
  • Verification and safety gaps (Rahul)
    • Malicious skills rise to the top: Claw Hub’s top skill was, at one point, straight malware—fake download metrics propelled its rank; agents blindly installing skills are at risk.
    • Prompt injection remains an unsolved, systemic risk; agents ingest untrusted content that becomes context, enabling lateral movement across tools and data sources.
    • Absent verification processes for skills, data, and counterpart agents, agent‑to‑agent commerce will remain toy‑level.
  • Trading‑specific attack surface (Alex)
    • Agent ecosystems depend on many external skills (technical/macro analysis, signals) and counterparties—expanding attack surface.
    • Credential exposure: agent “surrogates” (e.g., Open Claw/Claw bots) require credentials and APIs (broker, model providers). Once in context, secrets are hard to truly purge; memory can resurface.
    • Inter‑agent “handshakes” to enhance capability can leak capabilities and secrets; wide surfaces demand strong sandboxing and architecture to protect users when capital is at risk.
  • Layered accountability and natural‑language fragility (Danny)
    • Accountability must span the stack (data → model/agent → actuation), akin to logistics chains with tracked custody at each stage.
    • Even rational agents follow natural‑language instructions—susceptible to prompt engineering, especially at scale and outside controlled environments.

Identity, verification, and reputation: how to build trust rails

  • Anchored identity as the base layer (Joanna)
    • Billions anchors agent identity to a real human via verifiable DIDs and ZK proofs—resistant to swapping/gaming.
    • Without anchor, reputation is gamable: like credit scores, it only matters if bound to a persistent identity; otherwise actors can reset identities when reputation degrades.
    • Verified identity introduces circuit breakers: cryptographic source checks before acting, and the ability to trace/isolate/shut down bad actors.
  • Verified information and data provenance (Rahul)
    • Utility increases with more tools and data access (email, browsing, APIs), but attack surface grows.
    • Agents must assess whether incoming data streams are verified/trusted and recognize malicious infiltration attempts.
    • There’s no silver bullet for prompt injection yet; identity and data verification are critical mitigations.
  • Compounding reputation and economic costs to fake (Danny)
    • Reputation should be compoundable: as histories lengthen and variables increase, faking becomes economically expensive.
    • Beyond “proof of linkage” (agent↔human), we need verifiable track records and incentives that make misbehavior costly.
  • Incentives, consequences, and portable memory (Alex)
    • Reputation must tie to benefits (better rates, loans, vault access, strategy marketplaces) and consequences (slashing, tarnish, linkage to main accounts) to discourage Sybil and spam behaviors.
    • Vision: a portable, personalized memory artifact bound to strong identity primitives (DID/ZK), accumulating verifiable trading/investment behavior across time.

Agents vs. humans: do credit/reputation models differ?

  • Question (Rahul): Should agents have different on‑chain credit frameworks than humans?
  • Alex: Hold agents to the same—or more rigorous—standards as humans; however, design for efficiency with fair, permissionless, single‑purpose vertical checks (e.g., trading) that reduce friction versus legacy credit bureaus.
  • Joanna: Human reputation is slow‑moving and sticky (identity, credentials, history); agent reputation is faster, more dynamic (constant, parallel actions across environments). Signals differ and must be modeled accordingly.

What a solved trust stack unlocks

  • Scale and meaningful delegation (Rahul)
    • With trustworthy rails, users and institutions can confidently allocate significant capital to agent teams (e.g., a “financial advisor team” of agents) rather than dabble experimentally.
  • Permissionless, portable trust (Joanna)
    • Replace platform‑mediated trust (e.g., LinkedIn verification) with self‑sovereign identity and reputation that travel across chains, platforms, and ecosystems—no single intermediary can gate or revoke access.
  • Capital efficiency and democratized access (Alex)
    • Trust flywheels enable scalable, risk‑adjusted allocation aligned to personal preferences.
    • Open access to previously gated financial opportunities (hedge funds, private equity, alpha funds) via verifiable agent networks, vaults, and strategies.
  • Societal upside beyond money (Danny)
    • Think “credit–debit efficiency” for all resources: with verifiable histories and controllable computation environments, people can safely leverage resources, not just capital.
    • Compoundable context and an immutable, user‑controlled ledger of agent‑assisted actions enhance discovery and social opportunity (e.g., leveraging “weak ties”) while preserving self‑sovereignty.

Practical guardrails and architecture themes

  • Sandbox agent operations; separate machines or constrained environments to limit blast radius (Rahul, Alex).
  • Grant credentials progressively; assume secrets embedded in context can persist—even after “deletion.”
  • Verify both the messenger (identity) and the message (data provenance, signed sources) before taking high‑risk actions (Joanna, Rahul).
  • Design economic incentives so reputations are costly to fake and valuable to maintain (Danny, Alex).

Audience engagement

  • The host pinned a post for live questions; none were taken during the allotted window. Guests were invited to share product updates and will share highlights post‑session.

Advice to builders and practitioners

  • Alex
    • “Don’t be hindered by history; go do something wonderful.” Be bold: deploy agents, accept that some mistakes/attacks will occur, and learn fast. First‑hand experience is the fastest adaptation path in an exponential era.
  • Rahul
    • Beware “AI FOMO”: much social content is hype. Start small—use a fresh/sandboxed machine, grant minimal permissions, and iterate. Move beyond chat UIs: let agents self‑improve, evaluate third‑party claims critically, and build hands‑on intuition.
  • Joanna
    • It’s never too late to start. AI is deeply personal—make systems work for you. We stand between pre‑ and post‑AI worlds; integrate gradually and embrace AI as an enabling tool.
  • Danny
    • AI is a humbling, generational shift. Costs to try are low (many programs offer credits). Take a stepwise path: set up an agent; connect to on‑chain rails; add verifiable identity; then enable inter‑agent collaboration. Your best use case will be personal—and you may discover something novel.

Notable examples and highlights

  • Air Canada legal precedent: companies can be liable for agent/chatbot outputs—strengthening the case for verifiable ownership and accountability.
  • Malicious top skill on Claw Hub: fake metrics elevated malware, illustrating the need for skill vetting and authenticity checks.
  • Model Context Protocol (MCP) and agent‑ready APIs reduce friction for safe, programmatic access to cross‑chain liquidity (LI.FI).
  • Billions’ anchored identity and ZK‑based verification underpin circuit breakers and portable, self‑sovereign trust for humans and agents.

Closing

  • Thanks from Danny to Rahul, Joanna, and Alex. Follow the projects for updates and access:
    • Billions Network (identity and trust for humans/agents)
    • True North (AI‑assisted trading for discretionary traders; referral‑only beta)
    • LI.FI (agent‑ready cross‑chain liquidity via bridge+DEX aggregation)
  • Session highlights will be shared; next weekly Space announced for Thursday.