hummingbird-strategy

Fail

Audited by Snyk on Jun 28, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). These links include direct raw.githubusercontent.com URLs that pull executable scripts from the Senpi-ai/senpi-skills repository (plus the repo and senpi.ai domain and a local 127.0.0.1 runtime endpoint); fetching and running raw code from an unverified GitHub repo is a potential malware distribution vector unless you have independently verified the author and repo integrity.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly a trading strategy that issues and manages market positions. It describes emitting signals that the runtime opens via a specific order type (FEE_OPTIMIZED_LIMIT with taker/maker execution flags), references action/hook names that open positions (hummingbird_entry -> runtime opens), and lists protected APIs for position/order management (create_position, close_position, edit_position, ratchet_stop_add/edit/delete, cancel_order, strategy_close, etc.). These are explicit market-order and position-management capabilities (buy/sell and exit logic) — not generic tooling — so it grants direct financial execution authority.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 28, 2026, 08:48 PM
Issues
2
Security Audit — snyk — hummingbird-strategy