senpi-trading-runtime
Warn
Audited by Snyk on May 19, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts arbitrary external_scanner signals via POST /signals from out‑of‑process producers (see "External-scanner push ingest" and references/external-producers.md / SKILL.md Step 5) and feeds those signal payloads into decision engines including LLM-gated actions (e.g., the momentum-guarded strategy's decision_prompt injects {{signal_external_momentum}}), so untrusted, user-provided signal content can directly influence agent decisions and tool actions.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a trading runtime for Hyperliquid that opens, manages and closes market/limit orders and on-chain positions. Evidence:
- It describes flows where external producers POST /signals and actions “decide … open positions”.
- It references FEE_OPTIMIZED_LIMIT orders with taker fallback and mentions MARKET as an order type — i.e., order execution APIs.
- It tracks and manages wallets/strategy wallets (including creating a strategy via MCP with an initialBudget in USDC) and enforces risk guard rails while executing trades.
- It includes a Python Producer SDK that is the canonical client for the runtime’s /signals endpoint (used to trigger executions).
These are specific, purpose-built financial execution capabilities (placing/managing market and limit orders and interacting with strategy wallets), so this skill grants direct financial execution authority.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata