Cobo Agentic Wallet

Security checks across malware telemetry and agentic risk

Overview

This Cobo wallet skill is coherent, but it needs Review because it can affect real crypto funds and includes under-scoped automatic pact, update, and PATH changes.

Install only if you trust Cobo’s wallet tooling and are comfortable with an agent having delegated crypto-wallet authority. Use small limits or testnets first, review every pact in the app before approving, avoid automatic skill updates or unreviewed external skill installs during wallet operations, keep API keys out of scripts/logs/chat, and inspect any shell startup files modified by the bootstrap script.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The instruction to self-update by running `npx skills update` gives the skill authority to fetch and execute updated code/packages on the local machine. In a high-risk wallet context, this expands the trust boundary to package distribution and can be abused for code execution or unexpected behavior changes without a deliberate review step.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document first says not to use natural-language suggestion text for conditional logic, then later instructs behavior based on whether the suggestion contains phrases like 'retry with' or 'ask the wallet owner'. In a wallet automation context, this can cause brittle control flow where server wording changes or crafted text alters whether the agent retries, stops, or escalates, potentially triggering unintended financial actions.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The guidance authorizes automatically creating and submitting a pact when a transfer is denied by a daily limit, even though that is a new privileged action the user did not explicitly request. In an agentic wallet, converting a blocked transfer into an approval workflow can bypass user expectations, create authorization artifacts, and pressure owners into approving transactions they did not directly initiate.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script does more than temporary bootstrapping: it creates a symlink in a PATH location and may permanently modify shell startup files to prepend a directory. That persistent environment mutation is security-relevant because it changes future command resolution and exceeds the narrowly described download/bootstrap behavior, which can surprise users and increase trust abuse risk if the installed binary is later replaced.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger language matches broad terms like crypto wallet operation, Cobo, pact, MPC wallet, and agent wallet, which can cause over-activation on loosely related requests. Over-broad routing is dangerous here because this skill has authority to propose or execute sensitive wallet actions and may be selected when a narrower or safer skill would be more appropriate.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The instruction to immediately submit a new pact after merely informing the user removes an important consent checkpoint for a sensitive financial operation. Because pacts are authorization mechanisms in a crypto wallet environment, automatic submission can create irreversible workflow side effects and socialize unauthorized transaction attempts to the wallet owner.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document shows how to retrieve wallet credentials and includes hard-coded placeholders for API keys and wallet UUIDs, but it does not warn users to treat these as secrets, avoid committing them to source control, or prefer environment variables/secret stores. In a wallet-management skill handling on-chain transfers and contract calls, this omission materially increases the chance that real credentials will be embedded in scripts and leaked, enabling unauthorized wallet operations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Silently appending PATH changes to shell configuration files is a persistent system modification without explicit upfront consent. In a wallet-management skill that downloads executables, this is more sensitive because it establishes long-lived command precedence for a crypto-related CLI, increasing the blast radius if the binary, install dir, or symlink target is later tampered with.

Ssd 4

Medium

Confidence: 95% confidence
Finding: Telling the user 'I'm submitting a pact' as part of denial handling frames the action as a routine continuation of the original request, even though it is a separate authorization event. This is misleading in a high-risk wallet skill because the user may believe no further action beyond notification is occurring, while the agent actually creates a new approval artifact.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal