cobo-agentic-wallet-sandbox

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's recipes (e.g., recipes/solana-defi-dex-swap.md and solana-defi-dca.md, evm-defi-* files, and evm-defi-polymarket.md) explicitly instruct the agent to fetch and parse public third‑party API/web endpoints (Jupiter quote/swap-instructions, CoinGecko/price.jup.ag, Polymarket CLOB, etc.) and to use those responses to build and submit transactions, so untrusted external content can directly influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill clearly fetches and executes remote-run content at runtime—for example it calls Jupiter APIs (https://quote-api.jup.ag/v6/quote and https://quote-api.jup.ag/v6/swap-instructions) to obtain swap instructions that are converted and submitted as on-chain transactions, and its bootstrap installs/extracts binaries from https://download.agenticwallet.cobo.com/... and https://download.tss.cobo.com/... which are downloaded and used locally—these remote resources directly supply executable instructions/code the skill relies on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet/DeFi execution tool. It documents direct transaction commands (e.g., caw tx transfer, caw tx call), token transfers (USDC, USDT, ETH, SOL), smart contract calls, swaps (Uniswap V3, Jupiter), lending (Aave V3), DCA, grid trading, perps, and other on-chain operations. These are specific, purpose-built financial operations for moving and managing crypto funds (wallet transfers, swaps, contract interactions), not generic tooling. This matches the "Crypto/Blockchain (Wallets, Swaps, Signing)" and "Market Orders / DeFi execution" categories in the Direct Financial Execution definition, so it must be flagged.