cobo-agentic-wallet-sandbox-test

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and process merchant-provided carts from external A2A endpoints (see references/ap2-shopping.md: "caw ap2 merchants" / "caw ap2 search" which returns merchant_url and carts), which are untrusted third-party contents that the agent must read and that can directly influence payment actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes a runtime bootstrap script that downloads and extracts executable binaries from external URLs (e.g., https://download.agenticwallet.cobo.com/binary-release/... for the caw tarball and https://download.tss.cobo.com/binary-release/latest for the TSS node) which are required dependencies and result in executing remote code on the host.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet/DeFi execution tool. It documents direct commands to submit token transfers (caw tx transfer), smart contract calls (caw tx call), sign messages, and DeFi actions (Uniswap V3 swaps, Aave V3 lending, Jupiter swaps, DCA, grid trading, perps). It covers supported chains, token IDs, fee estimation, idempotent transfer submission, execution authorization flows, and scripting for automated on-chain operations. These are not generic utilities — they are purpose-built for moving crypto, interacting with financial contracts, and executing trades. Therefore it grants direct financial execution capability.