chameleon-strategy

Pass

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The documentation provides instructions to download strategy components and script files directly from the vendor's official GitHub repository (Senpi-ai/senpi-skills) using curl.
  • [COMMAND_EXECUTION]: The skill configuration and README include instructions for the user to execute shell commands to install dependencies, configure the environment, and launch the strategy as a long-lived background process using nohup and disown.
  • [REMOTE_CODE_EXECUTION]: The Python scripts utilize dynamic path manipulation (sys.path.insert) to locate and load the senpi_runtime_helpers library from the local environment, which is the expected mechanism for integrating with the required trading SDK.
  • [DATA_EXFILTRATION]: The skill requires sensitive environment variables such as SENPI_AUTH_TOKEN and CHAMELEON_WALLET. These are used appropriately to authenticate MCP tool calls and push trading signals to the vendor's platform for execution.
  • [PROMPT_INJECTION]: The LLM decision prompt in runtime.yaml acts as a pass-through mechanism, instructing the agent to honor the signals generated by the producer script. This is standard for automated trading strategies where the logic resides in the code rather than the LLM inference step.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 28, 2026, 08:48 PM
Security Audit — agent-trust-hub — chameleon-strategy