mongoose-strategy
Fail
Audited by Snyk on Jun 28, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs point to code downloaded directly from a GitHub repo (raw.githubusercontent.com / github.com/Senpi-ai/senpi-skills) and to a private product domain (senpi.ai / mcp.prod.senpi.ai) whose README explicitly instructs curling raw scripts and running Python daemons — executing unvetted remote code and contacting an unfamiliar production API with credentials is a high-risk vector for malware or credential exfiltration unless you fully trust and have vetted the Senpi project and its maintainers.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly defines trading/wallet primitives and order-management functions: environment wallets (MONGOOSE_LONG_WALLET / MONGOOSE_SHORT_WALLET), producer/runtime that emit orders, and named APIs/tools like create_position, close_position, edit_position, ratchet_stop_, cancel_order, and strategy_close as part of the system. Those are specific market-order / position-management capabilities (on-chain/asset execution), even though conversation sessions are instructed to be read-only. Because the skill includes concrete functions for sending/controlling trades and wallets, it grants direct financial execution capability.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata