thesis-fund-strategy
Warn
Audited by Snyk on Jun 28, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The README/installation steps instruct fetching and installing remote code (via npx from https://github.com/Senpi-ai/senpi-skills and curl from https://raw.githubusercontent.com/Senpi-ai/senpi-skills/main/thesis-fund/$f) which is then executed (e.g., running scripts/thesis-producer.py), so these URLs provide remote code that the skill depends on and executes.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a trading engine: it runs a producer daemon tied to a single wallet, manages positions and leverage (margin_pct, strict 5x clamp), and references exchange/clearinghouse behavior. It lists and forbids specific execution APIs for user sessions — e.g. create_position, close_position, edit_position, cancel_order, strategy_close, ratchet_stop_add/edit/delete — which implies those functions exist and are used by the daemon/DSL to place and manage market orders. This is not generic browser or HTTP tooling; it is specifically designed to execute and manage financial trades (market orders/position management) and control a wallet. Therefore it grants direct financial execution authority.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata