caribou-strategy
Pass
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's documentation provides instructions to download its core components (scripts, configurations, and runtime definitions) from the vendor's official GitHub repository (
https://github.com/Senpi-ai/senpi-skills). These are verified vendor resources. - [COMMAND_EXECUTION]: The installation guide recommends running the producer script as a background daemon using shell commands such as
setsid,nohup, anddisown. This is a documented method for ensuring process persistence across user sessions. - [PROMPT_INJECTION]: The
runtime-long.yamlandruntime-short.yamlfiles implement defensive prompt engineering. The LLM is provided with strict output rules and hard skip conditions to prevent it from executing malformed or unintended trades, which serves as a mitigation against indirect prompt injection from market data. - [DATA_EXFILTRATION]: The skill requires a
SENPI_AUTH_TOKENfor communication with the trading platform. All network operations, including signal ingestion and MCP (Model Context Protocol) calls, are directed towards the vendor's infrastructure or the local runtime environment.
Audit Metadata