cheetah-strategy
Warn
Audited by Snyk on May 21, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). The producer explicitly fetches user-generated trading data via Senpi MCP calls (cfg.mcporter_call -> discovery_get_top_traders, leaderboard_get_markets, leaderboard_get_trader_positions) and includes those fields in the pushed signal payload which the runtime LLM gate ingests via the decision_prompt (SIGNAL {{signal_cheetah_signals}}) to decide/executing actions, so untrusted leaderboard/trader content can materially influence decisions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The installer pulls and installs code from external repositories (e.g. https://github.com/Senpi-ai/senpi-skills and raw.githubusercontent.com URLs used in the curl commands) which provide the senpi-trading-runtime/senpi_runtime_helpers modules that are required and executed by the producer (python cheetah-producer.py), so remote content is fetched and run as part of setup/runtime.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a trading strategy and references concrete order- and position-management operations and APIs. It names functions and endpoints used to open/close/edit positions and orders (create_position, close_position, cancel_order, edit_position, ratchet_stop_* , strategy_close_positions) and describes DSL-driven entries/exits (FEE_OPTIMIZED_LIMIT), leverage clamping via strategy_get_asset_trading_limits, and posting signals to runtime (/signals) that the runtime/DSL executes. The doc even states those execution tools are reserved for the producer/DSL, which confirms they exist. These are specific market-order/position management capabilities (i.e., moving money/placing trades), so this is Direct Financial Execution.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata