senpi-entrypoint
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses npx, node, and python3 to manage environment variables, install platform-specific skills, and perform version checks.\n- [COMMAND_EXECUTION]: Persistence is established by scheduling a daily background task via the openclaw utility to execute a Python script for skill updates.\n- [EXTERNAL_DOWNLOADS]: The skill dynamically installs additional components from the vendor's GitHub repository (Senpi-ai/senpi-skills) and references external documentation.\n- [DATA_EXFILTRATION]: The update checker accesses the agent's internal configuration file ~/.agents/.skill-lock.json and the SENPI_AUTH_TOKEN environment variable to determine update status and authentication state.\n- [PROMPT_INJECTION]: The skill processes content from remote GitHub repositories, creating a surface for indirect prompt injection if the remote source is compromised.\n
- Ingestion points: Fetches SKILL.md files from raw.githubusercontent.com.\n
- Boundary markers: No explicit markers or validation found in the update script's parsing logic.\n
- Capability inventory: Includes command execution (npx, python3), file system access, and background task scheduling (openclaw).\n
- Sanitization: Metadata is extracted from remote files using basic string splitting and stripping without formal validation.
Audit Metadata