roach-strategy

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The install step fetches runtime.yaml from https://raw.githubusercontent.com/Senpi-ai/senpi-skills/main/roach/runtime.yaml (and related scripts at https://raw.githubusercontent.com/Senpi-ai/senpi-skills/main/roach/scripts/roach-producer.py and https://raw.githubusercontent.com/Senpi-ai/senpi-skills/main/roach/scripts/roach_config.py), and runtime.yaml contains the LLM decision_prompt used by the runtime while the fetched scripts are executed by cron, so externally hosted content directly controls agent prompts and supplies executable code that the skill depends on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading strategy whose runtime performs order placement and trade exits. The doc repeatedly describes the runtime executing OPEN_POSITION and exits via a FEE_OPTIMIZED_LIMIT order type (maker-first with taker fallback), manages DSL exits, uses a strategy wallet (${WALLET_ADDRESS}, ROACH_WALLET), and enforces margin/leverage/slot limits. It therefore contains specific market-order execution capabilities (sending trading transactions), not just generic scanning or HTTP tooling. This matches "Market Orders (Buying/Selling stocks or assets)" in the core rule.