cobo-agentic-wallet-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The AP2 shopping workflow (references/ap2-shopping.md) requires calling caw ap2 merchants / caw ap2 search against merchant A2A endpoints (including merchant-provided or user-supplied --merchant-url) and parsing returned cart JSON (session_id, carts, items, totals) which the agent then uses to decide and execute purchases, so arbitrary third-party merchant content can directly influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The included bootstrap script (scripts/bootstrap-env.sh) downloads and extracts remote binaries at runtime — e.g. the CAW tarball at https://download.agenticwallet.cobo.com/binary-release/.../caw---.tar.gz and the TSS node at https://download.tss.cobo.com/binary-release/latest/cobo-tss-node--.tar.gz — which fetches and installs remote executables that the skill relies on, so it executes remote code during setup.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet/transaction executor. It defines CLI commands to submit token transfers (caw tx transfer), smart contract calls (caw tx call), sign messages, perform DeFi operations (Uniswap V3 swaps, Aave lending, Jupiter swaps, DCA, grid trading, etc.), and manage pacts that authorize on‑chain spending. These are specific, purpose-built financial execution capabilities for crypto/blockchain transactions, not generic tooling.