senpi-onboard

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches live leaderboard and strategy data from public MCP endpoints (e.g., the curl calls to https://ypofdvbavcdgseguddey.supabase.co/functions/v1/mcp-server in references/post-onboarding.md and the "Show me the strategies"/"Set me up" flows) and then uses that external, live content to choose and autonomously install/deploy strategy code, so untrusted third-party content can materially change tool use and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs installation at runtime using the GitHub repo URL (e.g. via "npx skills add https://github.com/Senpi-ai/senpi-skills --skill "${SLUG}""), which fetches and installs remote skill code that will be executed and can control agent prompts/behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly performs crypto wallet operations (generates an EVM wallet, writes privateKey and mnemonic to ~/.config/senpi/wallet.json, and persists the wallet) and creates/returns an API key and configures an MCP server endpoint used for portfolio management and order execution on Hyperliquid. Although it says onboarding (not trading) and warns not to use it for trading, the skill specifically provisions blockchain wallet credentials and the API/MCP connection that enable autonomous trading. These are direct crypto/financial execution capabilities (wallet management and trading-enabled API credentials), so it meets the "Direct Financial Execution" criteria.