caribou-strategy

Pass

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill's documentation provides instructions to download its core components (scripts, configurations, and runtime definitions) from the vendor's official GitHub repository (https://github.com/Senpi-ai/senpi-skills). These are verified vendor resources.
  • [COMMAND_EXECUTION]: The installation guide recommends running the producer script as a background daemon using shell commands such as setsid, nohup, and disown. This is a documented method for ensuring process persistence across user sessions.
  • [PROMPT_INJECTION]: The runtime-long.yaml and runtime-short.yaml files implement defensive prompt engineering. The LLM is provided with strict output rules and hard skip conditions to prevent it from executing malformed or unintended trades, which serves as a mitigation against indirect prompt injection from market data.
  • [DATA_EXFILTRATION]: The skill requires a SENPI_AUTH_TOKEN for communication with the trading platform. All network operations, including signal ingestion and MCP (Model Context Protocol) calls, are directed towards the vendor's infrastructure or the local runtime environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 28, 2026, 08:48 PM
Security Audit — agent-trust-hub — caribou-strategy