salamander-strategy

Pass

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill implements its stated purpose as a trading strategy using standard Senpi platform components. All logic is transparently defined in Python and YAML, adhering to expected behavioral norms for this vendor category.\n- [EXTERNAL_DOWNLOADS]: The skill's installation guide in README.md provides a shell loop that uses curl to download scripts and configuration files from the vendor's official repository (github.com/Senpi-ai/senpi-skills). This is a known-vendor resource used for standard skill deployment.\n- [COMMAND_EXECUTION]: The skill setup involves creating directories and executing the producer script (salamander-producer.py) using nohup. These are standard operational commands for maintaining a persistent signal scanner.\n- [DATA_EXFILTRATION]: The skill retrieves market data (candles) and trader sentiment via authorized MCP tools (market_get_asset_data, leaderboard_get_markets). This data is used internally by the producer to generate scores and is not sent to unauthorized third-party domains.\n- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it ingests market and leaderboard data. Ingestion points: market_get_asset_data and leaderboard_get_markets tools in salamander-producer.py. Capability inventory: OPEN_POSITION action in runtime.yaml. Sanitization: The producer script performs numerical analysis and scoring on the ingested data before emitting a structured signal. The LLM decision prompt in runtime.yaml includes strict conversion rules to ensure signal integrity during execution.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 28, 2026, 08:48 PM
Security Audit — agent-trust-hub — salamander-strategy