piranha-strategy

Pass

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill implements an LLM-based decision gate in runtime.yaml that processes market data signals via template interpolation ({{signal_piranha_signals}}). This configuration creates a surface for indirect prompt injection.
  • Ingestion points: Market data (open interest, candles, and order book) is fetched from the platform's MCP tools in scripts/piranha-producer.py and passed to the LLM gate.
  • Boundary markers: The LLM prompt uses standard placeholder interpolation without explicit escape delimiters or safety instructions regarding the content of the data fields.
  • Capability inventory: The agent has the capability to execute the OPEN_POSITION action based on the LLM's decision.
  • Sanitization: The producer script validates the market data and casts relevant signals to specific numeric types (floats) before including them in the emitted signal block.
  • [EXTERNAL_DOWNLOADS]: The README.md provides installation instructions involving the download of scripts and configuration files from the author's public GitHub repository (github.com/Senpi-ai). These downloads are part of the standard deployment process for the strategy.
  • [COMMAND_EXECUTION]: The strategy utilizes a long-lived Python daemon script (piranha-producer.py) to monitor assets and generate signals. This script interacts with the local system environment and the trading runtime SDK to perform its duties.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 28, 2026, 08:48 PM
Security Audit — agent-trust-hub — piranha-strategy