Manage a Cobo TSS Node for MPC threshold signing. Use when: setting up a new TSS Node, starting/stopping the node service, checking node status or health, si...
Security Analysis
high confidenceThe skill's requirements, scripts, and runtime instructions are coherent with the stated purpose of installing and operating a local Cobo TSS Node; nothing in the bundle requests unrelated credentials or performs obvious exfiltration.
Name/description describe installing and managing a local TSS node; the package contains scripts to download a binary, initialize a DB, manage key files, install a user service, inspect groups, sign, export shares, backup, and update — all consistent with the stated purpose.
SKILL.md and the scripts operate on ~/.cobo-tss-node, the local binary, and local DB/key files. They do not attempt to read unrelated system paths or request unrelated environment variables, nor do they send data to unexpected remote endpoints in the scripts (only GitHub is used to fetch releases).
There is no packaged install spec — install.sh uses curl + GitHub Releases to download a tar.gz and extracts the binary into the user's ~/.cobo-tss-node. Using GitHub releases is reasonable, but it does pull executable code from the network and places it on disk; users should verify the release source and checksums before trusting the binary.
The skill declares only curl and python3 as required binaries and asks for no environment variables or credentials. Scripts create and use a local keyfile (.password) and local DB; these are proportional to the node-management purpose.
The skill does not request always:true and is user-invocable. Service installation is per-user (systemd --user / launchd LaunchAgent). It does not modify other skills or global agent settings.
Guidance
This skill appears internally consistent, but exercise normal caution: 1) install.sh downloads a prebuilt cobo-tss-node binary from a GitHub repository (CoboTest/cobo-tss-node-release) — verify the repository, release tag, and checksums or signatures before running the binary. 2) Backups created by the scripts include the .password key file and secrets.db — these backups contain everything needed to restore the node, so store them securely and consider encrypting offsite backups. 3) The service runs as your user and the binary may contact network endpoints (not part of these scripts); review the upstream binary behavior and network policy if you require stricter isolation. 4) If you are unsure about the upstream binary, consider building from source or running the binary in a restricted environment (container/VM) first.
Latest Release
v0.2.0
Fix macOS launchctl label mismatch, add backups to ReadWritePaths, fix ProtectHome conflict, add --force to setup-keyfile for non-interactive use, fix SHA256SUMS missing dotfiles, fix health check crash on missing service, add 29 test cases
More by @dinstein
Published by @dinstein on ClawHub
