chameleon-strategy
Pass
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The documentation provides instructions to download strategy components and script files directly from the vendor's official GitHub repository (Senpi-ai/senpi-skills) using
curl. - [COMMAND_EXECUTION]: The skill configuration and README include instructions for the user to execute shell commands to install dependencies, configure the environment, and launch the strategy as a long-lived background process using
nohupanddisown. - [REMOTE_CODE_EXECUTION]: The Python scripts utilize dynamic path manipulation (
sys.path.insert) to locate and load thesenpi_runtime_helperslibrary from the local environment, which is the expected mechanism for integrating with the required trading SDK. - [DATA_EXFILTRATION]: The skill requires sensitive environment variables such as
SENPI_AUTH_TOKENandCHAMELEON_WALLET. These are used appropriately to authenticate MCP tool calls and push trading signals to the vendor's platform for execution. - [PROMPT_INJECTION]: The LLM decision prompt in
runtime.yamlacts as a pass-through mechanism, instructing the agent to honor the signals generated by the producer script. This is standard for automated trading strategies where the logic resides in the code rather than the LLM inference step.
Audit Metadata