cobotest/cobo-tss-node
/SKILL.md
Manage a Cobo TSS Node for MPC threshold signing. Use when: setting up a new TSS Node, starting/stopping the node service, checking node status or health, signing for key share checkups, exporting shares for disaster recovery, backing up or updating the node, installing as a systemd or launchd service. NOT for: Cobo WaaS API integration, on-chain transaction building, or wallet UI.
$ install --global
skillsauthnpx skillsauth add cobotest/cobo-tss-node-skill cobo-tss-nodeInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 3:22 PM6.9s14 files scanned
SKILL.md
- name:
- cobo-tss-node
- description:
- Manage a Cobo TSS Node for MPC threshold signing. Use when: setting up a new TSS Node, starting/stopping the node service, checking node status or health, signing for key share checkups, exporting shares for disaster recovery, backing up or updating the node, installing as a systemd or launchd service. NOT for: Cobo WaaS API integration, on-chain transaction building, or wallet UI.
- version:
- 0.4.0
- "emoji":
- 🔐",
- "requires":
- { "bins": ["curl", "python3"] },
Cobo TSS Node
Manage a Cobo TSS Node — the client-side MPC signing component for Cobo's co-managed custody.
When to Use
✅ USE this skill when:
- Installing the Cobo TSS Node binary
- Initializing a new TSS Node (generating keys + Node ID)
- Starting/stopping/restarting the node service
- Installing as a system service (Linux systemd / macOS launchd)
- Checking node health, viewing groups, or reading logs
- Periodic key share checkup signing
- Exporting shares for disaster recovery
- Backing up or updating the node
❌ DON'T use this skill when:
- Interacting with Cobo WaaS REST API → use Cobo SDK
- Building on-chain transactions directly
- Managing Cobo Portal (web UI operations)
Environments
| Environment | Default Directory | Start Flag | Service Name |
|-------------|-------------------|------------|--------------|
| dev | ~/.cobo-tss-node-dev | --dev | cobo-tss-node-dev |
| prod | ~/.cobo-tss-node | --prod | cobo-tss-node |
All scripts require --env <dev|prod>. Dev and prod can run side-by-side on the same machine with separate data directories, services, and configs.
Quick Start
./scripts/install.sh --env dev # Download binary (dev)
./scripts/setup-keyfile.sh --env dev # Create password file
./scripts/init-node.sh --env dev # Initialize (outputs Node ID)
./scripts/install-service.sh linux --env dev # Install systemd service
./scripts/node-ctl.sh start --env dev # Start
Scripts
| Script | Purpose |
|--------|---------|
| scripts/install.sh | Download binary from GitHub releases |
| scripts/setup-keyfile.sh | Create .password key file (mode 600) |
| scripts/init-node.sh | Initialize node keys and database |
| scripts/node-info.sh | View Node ID and group info |
| scripts/start-node.sh | Start node in foreground |
| scripts/install-service.sh | Install as systemd (Linux) or launchd (macOS) service |
| scripts/node-ctl.sh | Unified daily operations CLI |
Daily Operations
All post-install operations go through node-ctl.sh:
./scripts/node-ctl.sh <command> --env <dev|prod> [--dir DIR]
Node Info
./scripts/node-ctl.sh info --env prod
Displays Node ID and metadata. Equivalent to cobo-tss-node info.
Service Management
| Command | Description |
|---------|-------------|
| status | Show service status (systemctl/launchctl) |
| start | Start the TSS Node service |
| stop | Stop the service |
| restart | Restart the service |
| logs | View recent logs (last 50 lines) |
| logs -f | Tail logs in real time |
| logs --lines=200 | View more log lines |
Linux uses journalctl, macOS reads from ~/.cobo-tss-node/logs/launchd-stdout.log.
Health Check
./scripts/node-ctl.sh health
Checks in one command:
- ✅/❌ Service running status
- 📌 Binary version
- ✅/❌ Database exists + file size
- ✅/❌ Config file present
- ✅/⚠️ Key file permissions (must be 600)
- 💾 Available disk space
- 📋 Node ID and metadata
MPC Group Management
./scripts/node-ctl.sh groups # List all MPC groups
./scripts/node-ctl.sh group <group-id> # Inspect a specific group
Shows group details: participants, threshold, public key, protocol type.
Key Share Checkup (Periodic Signing)
./scripts/node-ctl.sh sign <group-id> [message]
- ⚠️ This is NOT an MPC co-signing operation. It uses the local key share directly to sign a message, verifying that the share exists and is intact.
- Purpose: prove key share integrity — confirm the share hasn't been corrupted or lost
- If no message given, auto-generates:
checkup-YYYY-MM-DD - Recommended: run weekly or after any infrastructure changes
- This is a local-only operation (no network/WebSocket needed, no MPC ceremony involved)
Disaster Recovery Export
./scripts/node-ctl.sh export <group-id1,group-id2,...>
- Exports encrypted key share files to a timestamped directory:
~/.cobo-tss-node/recovery/YYYYMMDD-HHMMSS/ - Exported files are encrypted — need the database password to restore
- Recommended: export after every keygen or key reshare, store offsite
Backup
./scripts/node-ctl.sh backup
Creates a timestamped backup at ~/.cobo-tss-node/backups/YYYYMMDD-HHMMSS/ containing:
secrets.db— encrypted database (key shares, session data)cobo-tss-node-config.yaml— configuration.password— key fileSHA256SUMS— integrity checksums
⚠️ Store backups securely — contains everything needed to restore the node.
Update Binary
./scripts/node-ctl.sh update # Update to latest
./scripts/node-ctl.sh update --version=v0.13.0 # Update to specific version
What it does:
- Stops the service
- Backs up current binary as
cobo-tss-node.bak - Downloads and installs new version
- Runs database migration (if needed)
- Restarts the service
- Shows new version
Database Migration
./scripts/node-ctl.sh migrate # Run migration
./scripts/node-ctl.sh migrate --dry-run # Preview only
Run after binary updates. The update command does this automatically.
Change Password
./scripts/node-ctl.sh change-password
Changes the database encryption password. Also updates the key file.
Uninstall Service
./scripts/node-ctl.sh uninstall
Removes the systemd/launchd service but keeps all data in ~/.cobo-tss-node/. To fully remove: rm -rf ~/.cobo-tss-node.
Recommended Maintenance Schedule
| Task | Frequency | Command |
|------|-----------|---------|
| Health check | Daily | node-ctl.sh health --env prod |
| Key share checkup | Weekly | node-ctl.sh sign --env prod <group-id> |
| Backup | Weekly | node-ctl.sh backup --env prod |
| Log review | Weekly | node-ctl.sh logs --env prod --lines=500 |
| Export shares | After keygen/reshare | node-ctl.sh export --env prod <group-ids> |
| Update binary | On new release | node-ctl.sh update --env prod |
| Password rotation | Quarterly | node-ctl.sh change-password --env prod |
Configuration Reference
Config file: ~/.cobo-tss-node/configs/cobo-tss-node-config.yaml
Key sections:
env:development/productiondb.path: database file pathcallback.cb_server: risk control callback URL + public key (v1)callback.cb_server_v2: risk control callback URL + public key (v2)event.server: event publish endpoints (keygen/keysign/reshare notifications)embedded_risk_control_rules: local allow/reject rules for keygen, keysign, resharelog: stdout + file logging configmetrics: InfluxDB monitoring endpoint
Directory Layout
# Production: ~/.cobo-tss-node/
# Development: ~/.cobo-tss-node-dev/
~/.cobo-tss-node/ # (or ~/.cobo-tss-node-dev/)
├── cobo-tss-node # binary
├── cobo-tss-node.bak # previous binary (after update)
├── .password # key file (chmod 600)
├── .env # environment marker (dev/prod)
├── configs/
│ ├── cobo-tss-node-config.yaml # active config
│ └── cobo-tss-node-config.yaml.template # template reference
├── db/
│ └── secrets.db # AES-GCM encrypted database
├── logs/ # log files
├── recovery/ # exported key shares
│ └── YYYYMMDD-HHMMSS/
└── backups/ # full backups
└── YYYYMMDD-HHMMSS/
├── secrets.db
├── cobo-tss-node-config.yaml
├── .password
└── SHA256SUMS
Key Design Decisions
--key-fileused on all commands for non-interactive operation (required for service mode)- Database is AES-GCM encrypted;
.passwordfile must be mode600 - Linux service runs with
NoNewPrivileges,ProtectSystem=strict,ReadWritePathslimited to db/logs/recovery - macOS agent uses
KeepAlive+ThrottleIntervalfor auto-restart on failure - Backups include SHA256 checksums for integrity verification
Troubleshooting
| Symptom | Cause | Fix |
|---------|-------|-----|
| Service won't start | Missing config file | cp configs/*.template configs/cobo-tss-node-config.yaml |
| "password" prompt on start | Missing --key-file | Reinstall service: install-service.sh linux |
| Permission denied on .password | Wrong file mode | chmod 600 ~/.cobo-tss-node/.password |
| Init fails | DB already exists | Check with node-info.sh; delete db/secrets.db only if intentional |
| WebSocket connection failed | Wrong environment flag | Match --dev/--prod to your Cobo Portal environment |
| Service exits immediately | Port or resource conflict | Check node-ctl.sh logs for error details |
| Migration fails | Version incompatibility | Try migrate --dry-run first; contact Cobo support if persistent |
Related Skills
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026
openclaw/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-qa-testing
development
VerifiedTrustedCommunity
Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-parallels-smoke
development
VerifiedTrustedCommunity
End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.
357,764SKILL.mdUpdated Apr 10, 2026