turbine-strategy
Warn
Audited by Snyk on May 15, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). The producer daemon (scripts/turbine-producer.py) calls mcporter_call("market_get_asset_data") and other MCP tools via the senpi wrapper (scripts/turbine_config.py) to ingest external market/order-book and order data which are embedded into signals (emit_signal) that are then fed into the runtime LLM decision prompts (runtime-volume.yaml / runtime-runners.yaml), so untrusted third‑party market content can directly influence automated decisioning and subsequent tool actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The install steps fetch and then execute code and prompt templates from the Senpi repo (e.g. https://github.com/Senpi-ai/senpi-skills and raw.githubusercontent.com/.../Senpi-ai/senpi-skills/main/turbine/...), and those fetched YAMLs/scripts include LLM decision_prompt text and the producer daemon code that run at runtime, so remote content directly controls prompts and is executed.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a trading strategy with direct market execution controls. It names wallet env vars (TURBINE_VOLUME_WALLET, TURBINE_RUNNERS_WALLET with "0x..." placeholders), budget/margin/leverage settings, slot/account_value logic, and describes order mechanics (maker/taker, fills, ALO orders, resting orders). Crucially, it references execution API/function names such as create_position, close_position, edit_position, ratchet_stop_, cancel_order, strategy_close and enforces who may call them (producer/DSL only). The producer daemon and runtimes read wallets and emit signals that result in on-chain/order actions (notional volumes, fills). These are specific crypto/market-order execution capabilities, not generic tooling.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata