lemon-strategy
Warn
Audited by Snyk on May 15, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's setup instructs downloading and then executing runtime Python code from raw GitHub URLs (e.g. https://raw.githubusercontent.com/Senpi-ai/senpi-skills/main/lemon/scripts/lemon-scanner.py), meaning required external code is fetched from that URL and then executed as the scanner runtime, which meets the criteria for a high-confidence remote-code dependency.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a self-executing crypto trading strategy. It calls a trading API/function ("create_position" via mcporter), references order types (feeOptimizedLimit / FEE_OPTIMIZED_LIMIT), margin and leverage settings (up to 20x), position management (has_resting_orders(), MAX 1 POSITION, MAX_DAILY_ENTRIES), and requires a strategy wallet (LEMON_WALLET / WALLET_ADDRESS). These are specific, purpose-built capabilities to open/manage market positions and move capital, not generic tooling. Therefore it grants direct financial execution authority.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata