lemur-strategy

Warn

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill's README.md provides instructions to download strategy scripts and configuration files from a remote GitHub repository (https://raw.githubusercontent.com/Senpi-ai/senpi-skills/). These files are necessary for the skill's primary functionality.
  • [REMOTE_CODE_EXECUTION]: The installation process involves fetching external Python scripts and executing them. Furthermore, the scripts/lemur_config.py file dynamically modifies sys.path by calculating the location of the senpi-trading-runtime dependency at runtime, which is a form of dynamic code loading.
  • [COMMAND_EXECUTION]: The README.md documentation includes shell commands for creating workspace directories, downloading external files, and executing the strategy producer as a background daemon using nohup and disown.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Untrusted data is ingested from external market and sentiment APIs via MCP tools in scripts/lemur-producer.py. This data (e.g., asset names, trend descriptions, and trader sentiment) is interpolated directly into the LLM decision prompt in runtime.yaml using the {{signal_lemur_signals}} placeholder. There are no sanitization mechanisms or explicit boundary markers to prevent malicious content within this external data from influencing the LLM's logic for the OPEN_POSITION action.
  • [CREDENTIALS_UNSAFE]: The skill requires the user to provide a sensitive authentication token (SENPI_AUTH_TOKEN) through environment variables. This token is used by the producer scripts to authenticate requests to MCP tools and signal processing services.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 28, 2026, 08:48 PM
Security Audit — agent-trust-hub — lemur-strategy