cobra-strategy
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's implementation is transparent and follows standard practices for the Senpi trading platform. All logic is contained in readable Python and YAML files with clear documentation.
- [COMMAND_EXECUTION]: The skill utilizes platform-native CLI tools (openclaw) and standard stream editors (sed) to manage runtime configuration and deployment. These operations are scoped to the skill's own directory.
- [DATA_EXFILTRATION]: Operational data, such as trade counters and cooldown timestamps, are stored in a local JSON file (config/cobra-state.json). No sensitive user data, private keys, or system credentials are accessed or transmitted externally.
- [PROMPT_INJECTION]: The Python scanner ingests external market data via a standard input pipe. This constitutes an indirect prompt injection surface. The risk is minimized by the use of structured JSON parsing and the absence of dynamic execution primitives (like eval or exec) acting on the input. Ingestion points: scripts/cobra-scanner.py via sys.stdin. Boundary markers: Data is processed as structured JSON; no specific instruction-bypass markers are present. Capability inventory: Execution of openclaw CLI and creation of positions via the Senpi MCP. Sanitization: The script performs type validation and field checking on the JSON input prior to use in the scoring algorithm.
Audit Metadata