caracal-strategy

Warn

Audited by Socket on Jun 28, 2026

2 alerts found:

AnomalySecurity
AnomalyLOW
README.md

No concrete malware behavior is visible in this fragment because it contains deployment instructions rather than the strategy implementation. However, it establishes a high-impact supply-chain risk pattern: executable strategy code and runtime components are fetched and installed from public GitHub sources at install time without shown integrity/provenance pinning, then executed as persistent background daemons with an auth token provided via environment variables. To validate safety, the fetched caracal-producer.py, runtime YAMLs, and the installed runtime helpers must be reviewed for network exfiltration, credential misuse, notification abuse (Telegram), obfuscated execution, and any logic that could act beyond the intended trading behavior. As-is, the security posture should be treated as elevated until integrity controls (pin commits, verify hashes/signatures) and runtime behavior checks are in place.

Confidence: 48%Severity: 66%
SecurityMEDIUM
SKILL.md
Audit Metadata
Analyzed At
Jun 28, 2026, 08:49 PM
Package URL
pkg:socket/skills-sh/senpi-ai%2Fsenpi-skills%2Fcaracal-strategy%2F@38e22360b2a45060015b27ae14ec5c77d8e0039cdec442e82b1ef16f4416052d
Security Audit — socket — caracal-strategy