Skills
skills/senpi-ai/senpi-skills/cobra-strategy/Gen Agent Trust Hub

cobra-strategy

Pass

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script cobra_config.py utilizes subprocess.run to call the mcporter CLI tool. This is a standard mechanism within the Senpi ecosystem for retrieving market data and executing trade instructions via the Model Context Protocol (MCP).
  • [EXTERNAL_DOWNLOADS]: The documentation references official GitHub repositories and specification files hosted under the Senpi-ai organization. These are recognized as trusted vendor resources.
  • [DATA_EXPOSURE]: The skill retrieves account identifiers and wallet addresses from environment variables (COBRA_WALLET, COBRA_STRATEGY_ID). This is necessary for legitimate trading operations and does not involve hardcoded secrets.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted market data (asset names, candle data) from external exchanges via the MCP.
  • Ingestion points: market_get_asset_data, leaderboard_get_markets, and market_list_instruments calls in cobra-scanner.py.
  • Boundary markers: None present in the standard output passed to the agent.
  • Capability inventory: Subprocess execution (mcporter) and local state file writes (scripts/cobra_config.py).
  • Sanitization: Data is parsed as JSON, but specific string fields from market data are interpolated into output messages without explicit filtering.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 12, 2026, 06:26 PM