cobo-agentic-wallet-sandbox

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly requires running "caw recipe search" and reading matched recipes (pact.md / SKILL.md) and instructs the agent to consult URLs in a recipe's "References" section and an external manual (https://cobo.com/products/agentic-wallet/manual/llms.txt), so the agent will fetch and interpret public third‑party web content that can directly alter pact generation and on‑chain actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly directs runtime downloads and execution via scripts (scripts/bootstrap-env.sh) that fetch binaries from https://download.agenticwallet.cobo.com/... and https://download.tss.cobo.com/..., and also tells the agent to fetch runtime instructions from https://cobo.com/products/agentic-wallet/manual/llms.txt, so external content is fetched at runtime and can execute code or influence agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain financial operations. It defines and requires use of the Cobo "caw" CLI for token transfers, contract calls, swaps (Uniswap, Aave, Jupiter), pact creation/approval, tx submission (caw tx transfer, caw tx call, caw tx sign-message), nonce/gas management, tx speedup/drop, and other wallet-onboarding and execution flows. These are concrete crypto/blockchain transaction APIs and wallet operations (not generic tooling), so the skill grants direct financial execution capability.