hummingbird-strategy
Fail
Audited by Snyk on Jun 28, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). These links include direct raw.githubusercontent.com URLs that pull executable scripts from the Senpi-ai/senpi-skills repository (plus the repo and senpi.ai domain and a local 127.0.0.1 runtime endpoint); fetching and running raw code from an unverified GitHub repo is a potential malware distribution vector unless you have independently verified the author and repo integrity.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a trading strategy that issues and manages market positions. It describes emitting signals that the runtime opens via a specific order type (FEE_OPTIMIZED_LIMIT with taker/maker execution flags), references action/hook names that open positions (hummingbird_entry -> runtime opens), and lists protected APIs for position/order management (create_position, close_position, edit_position, ratchet_stop_add/edit/delete, cancel_order, strategy_close, etc.). These are explicit market-order and position-management capabilities (buy/sell and exit logic) — not generic tooling — so it grants direct financial execution authority.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata