cobo-agentic-wallet-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to locate, download, install, and "follow" external skill packages from a public clawhub/registry (see references/sdk-scripting.md: "npx skills find ...", "If a matching skill package is found, install it and follow its instructions"), which are third‑party/user‑contributed artifacts the agent would ingest and execute and thus can materially influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The included bootstrap script (scripts/bootstrap-env.sh) downloads and extracts executable binaries from https://download.agenticwallet.cobo.com/... and https://download.tss.cobo.com/... at runtime (fetching remote code required for operation), which constitutes fetching remote executables that the skill relies on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to manage on-chain funds and perform crypto financial operations. It exposes a dedicated CLI (caw) with commands for token transfers, smart-contract calls, swaps and DeFi execution (Uniswap, Aave, Jupiter), signing messages, nonce management, fee estimation, and transaction lifecycle tracking. It describes pact-based authorization, balance preflight, submitting transactions (caw tx transfer, caw tx call, etc.), and on-chain confirmation — all concrete mechanisms to move crypto assets. This matches the "Crypto/Blockchain (Wallets, Swaps, Signing)" category in the core rule, so it grants direct financial execution capability (crypto).