> For the complete documentation index, see [llms.txt](/llms.txt). # Security MetaMask Agent Wallet applies mandatory security on every transaction. Agents cannot opt out of the security pipeline. ## Transaction simulation[​](#transaction-simulation "Direct link to Transaction simulation") Before a transaction executes, the CLI simulates it to surface reverts, unexpected state changes, and other failures early. ## Transaction Shield (powered by Blockaid)[​](#transaction-shield-powered-by-blockaid "Direct link to Transaction Shield (powered by Blockaid)") Transaction Shield scans transactions for known threats. Malicious transactions are blocked before they execute. When a transaction is flagged, you receive details in the CLI output and through the approval flow. ## Servo MEV protection[​](#servo-mev-protection "Direct link to Servo MEV protection") Servo helps protect transactions from sandwich attacks and related MEV extraction where supported on the target chain. ## Cubist TEE-backed key custody[​](#cubist-tee-backed-key-custody "Direct link to Cubist TEE-backed key custody") In server-wallet mode, private keys are held inside a Cubist trusted execution environment (TEE). Keys are not exposed to the agent process. You retain self-custody and can export your secret recovery phrase when supported by your account configuration. ## Two-factor approval (2FA)[​](#two-factor-approval-2fa "Direct link to Two-factor approval (2FA)") When a transaction violates your policy or is flagged as high risk, the CLI pauses the job until you approve or reject it. Approval is delivered through: - MetaMask Mobile push notification, or - Email link with transaction details The agent cannot proceed without your approval. ## Guard Mode and Beast Mode[​](#guard-mode-and-beast-mode "Direct link to Guard Mode and Beast Mode") | Mode | Policy enforcement | 2FA | | -------------------- | ------------------------------------------ | --------------------------------------------------- | | Guard Mode (default) | Daily spend limits and protocol allowlists | On policy violations | | Beast Mode (opt-in) | Reduced policy interruptions | Still required on malicious or flagged transactions | Configure modes at initialization: ``` mm init --wallet server-wallet --mode guard mm init --wallet server-wallet --mode beast ``` ## Next steps[​](#next-steps "Direct link to Next steps") - [Choose your wallet mode](/agent-wallet/get-started/choose-wallet-mode/) - [Architecture](/agent-wallet/concepts/architecture/)