lynx-strategy

Pass

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructions specify downloading components from the author's GitHub repository (github.com/Senpi-ai). These are identified as vendor resources and do not pose a security risk.
  • [COMMAND_EXECUTION]: The agent runs a long-lived producer script (lynx-producer.py) to manage trading signals and behavior adjustments. The execution is handled via a managed daemon process.
  • [PROMPT_INJECTION]: The skill implements a self-tuning loop that ingests its own past ai_reasoning data to optimize entry thresholds. This represents an indirect injection surface but is used for legitimate strategy optimization.
  • Ingestion points: Trade reasoning records are fetched via the audit_query MCP tool in scripts/lynx-producer.py.
  • Boundary markers: None present for the ingested reasoning data.
  • Capability inventory: push_signal (network signal emission) and writing to the lynx-state.json file.
  • Sanitization: The script uses a strict regular expression (\bscore[:\s=]+(\d+)\b) to extract only integer values from the reasoning text, which effectively prevents the execution of embedded instructions.
  • [SAFE]: No hardcoded credentials, unauthorized persistence mechanisms, or obfuscation techniques were detected. The skill follows best practices by using environment variables for authentication tokens and implementing atomic file writes for state management.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 28, 2026, 08:48 PM
Security Audit — agent-trust-hub — lynx-strategy