Skills
skills/senpi-ai/senpi-skills/viper-strategy/Gen Agent Trust Hub

viper-strategy

Pass

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The strategy interacts with the local environment and the exchange via the mcporter tool using Python's subprocess.run. The use of list-based arguments and JSON-encoding for parameters effectively mitigates command injection risks.
  • [EXTERNAL_DOWNLOADS]: The skill references configuration and logic specifications from the Senpi-ai GitHub organization. These are recognized as trusted vendor resources.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted market data (asset names and candle statistics) from external exchange APIs. While this constitutes an attack surface, the risk is minimized by strict numerical casting and limited use of the data in text-based outputs.
  • Ingestion points: scripts/viper-scanner.py (via market_list_instruments and market_get_asset_data tools).
  • Boundary markers: None present in the data processing flow.
  • Capability inventory: Subprocess execution for trade signaling and state file modification in scripts/viper-scanner.py and scripts/viper_config.py.
  • Sanitization: The skill applies float() conversion to price and volume data and uses json.dumps() for output formatting.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 13, 2026, 06:11 PM