cub-strategy
Pass
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface identified in the LLM decision-making process.
- Ingestion points: The strategy script
cub-producer.pyfetches market data, including instrument names and asset contexts, from the Hyperliquid exchange using MCP tools such asmarket_get_asset_dataandmarket_list_instruments. - Boundary markers: The LLM decision prompts in
runtime-long.yaml,runtime-short.yaml, andruntime-preipo.yamlinterpolate this external signal data using{{signal_...}}placeholders without explicit delimiters or instructions to treat the content as untrusted data. - Capability inventory: The skill has the
OPEN_POSITIONcapability, enabling it to execute financial trades based on LLM evaluations. - Sanitization: String data retrieved from the exchange (such as asset names or metadata) is not sanitized or validated before being interpolated into the prompt.
- [EXTERNAL_DOWNLOADS]: The skill's documentation provides instructions to download the core trading runtime and strategy producer scripts directly from the vendor's official GitHub repository.
Audit Metadata