lemur-strategy
Warn
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's
README.mdprovides instructions to download strategy scripts and configuration files from a remote GitHub repository (https://raw.githubusercontent.com/Senpi-ai/senpi-skills/). These files are necessary for the skill's primary functionality. - [REMOTE_CODE_EXECUTION]: The installation process involves fetching external Python scripts and executing them. Furthermore, the
scripts/lemur_config.pyfile dynamically modifiessys.pathby calculating the location of thesenpi-trading-runtimedependency at runtime, which is a form of dynamic code loading. - [COMMAND_EXECUTION]: The
README.mddocumentation includes shell commands for creating workspace directories, downloading external files, and executing the strategy producer as a background daemon usingnohupanddisown. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Untrusted data is ingested from external market and sentiment APIs via MCP tools in
scripts/lemur-producer.py. This data (e.g., asset names, trend descriptions, and trader sentiment) is interpolated directly into the LLM decision prompt inruntime.yamlusing the{{signal_lemur_signals}}placeholder. There are no sanitization mechanisms or explicit boundary markers to prevent malicious content within this external data from influencing the LLM's logic for theOPEN_POSITIONaction. - [CREDENTIALS_UNSAFE]: The skill requires the user to provide a sensitive authentication token (
SENPI_AUTH_TOKEN) through environment variables. This token is used by the producer scripts to authenticate requests to MCP tools and signal processing services.
Audit Metadata