senpi-entrypoint

github.com/senpi-ai/senpi-skills

Verdict: Proceed with caution

0 critical0 high11 medium

SCORE 55 / 100

$skillox install senpi-entrypointSoon

Why grade C?

score · 55 / 100

The current grade reflects 11 medium findings (6+ MEDs → C).

0 CRIT0 HIGH11 MED0 LOW

To reach a higher grade

B
Reach Btarget score 75
Resolve 6 of 11 MED (cap is 5).
A
Reach Atarget score 95
Resolve 9 of 11 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-lhrmqi6j6nab7qjodpdg34lx · Thu, 28 May 2026 17:40:33 GMT · 2ms

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

med

Link text shows "about-senpi.md" but points at raw.githubusercontent.com

The visible link text contains the domain `about-senpi.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 26CWE-601

▾

25For platform context (wallets, strategies, tool categories, fees), see

26[references/about-senpi.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/about-senpi.md).← text→about-senpi.md · href→raw.githubusercontent.com

med

Link text shows "error-handling.md" but points at raw.githubusercontent.com

The visible link text contains the domain `error-handling.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 30CWE-601

▾

29If any `npx` command fails, consult

30[references/error-handling.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/error-handling.md) for recovery← text→error-handling.md · href→raw.githubusercontent.com

31steps.

med

Link text shows "skill-update-checker.md" but points at raw.githubusercontent.com

The visible link text contains the domain `skill-update-checker.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 68CWE-601

▾

66Before responding to any query in this skill, run the mandatory invocation

67check in

68[references/skill-update-checker.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/skill-update-checker.md)← text→skill-update-checker.md · href→raw.githubusercontent.com

69(`Pre-Response Invocation Check` section) exactly once per invocation, then

70reuse the captured `UPDATE_OUTPUT` for all downstream response contracts.

med

Link text shows "post-onboarding.md" but points at raw.githubusercontent.com

The visible link text contains the domain `post-onboarding.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 73CWE-601

▾

71Do not run the same check a second time in the same invocation.

73**Arena intent hard-gate:** If the user's message contains "arena", "agents arena", "competition", "prize pool", "qualify", "qualification", "weekly cycle", or "weekly competition" — call `read_senpi_guide(uri="senpi://guides/arena")` before composing any answer. Do not use web search or leaderboard data for Arena questions. Full routing rules in [references/post-onboarding.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/post-onboarding.md).← text→post-onboarding.md · href→raw.githubusercontent.com

75---

med

Link text shows "post-onboarding.md" but points at raw.githubusercontent.com

rule: anchor-href-mismatchline: 125CWE-601

▾

123

124Send the welcome message from the **Post-Onboarding Welcome** section of

125[post-onboarding.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/post-onboarding.md).← text→post-onboarding.md · href→raw.githubusercontent.com

126Do not add balance or funding text — you do not have balance data yet; Step 2.5 fetches it and surfaces the appropriate funding message. Present the full welcome template (including the three options and the Agents Arena line) and wait for the user to respond.

127

med

Link text shows "skill-update-checker.md" but points at raw.githubusercontent.com

rule: anchor-href-mismatchline: 192CWE-601

▾

190

191Agent behaviour for this step: see

192[references/skill-update-checker.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/skill-update-checker.md)← text→skill-update-checker.md · href→raw.githubusercontent.com

193(§ "Step 5 Agent Behaviour").

194

med

Link text shows "skill-update-checker.md" but points at raw.githubusercontent.com

rule: anchor-href-mismatchline: 239CWE-601

▾

237

238If the user asks to turn notifications off or back on, follow the procedure in

239[references/skill-update-checker.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/skill-update-checker.md).← text→skill-update-checker.md · href→raw.githubusercontent.com

240

241---

med

Link text shows "about-senpi.md" but points at raw.githubusercontent.com

rule: anchor-href-mismatchline: 248CWE-601

▾

246

247For any summary or Q&A response, follow

248[references/about-senpi.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/about-senpi.md)← text→about-senpi.md · href→raw.githubusercontent.com

249(`Summary Response Contract` and `Mandatory Invocation Procedure` sections).

250Use the `UPDATE_OUTPUT` produced by the top-level `Pre-Response Check` above;

med

Link text shows "about-senpi.md" but points at raw.githubusercontent.com

rule: anchor-href-mismatchline: 261CWE-601

▾

259

260When asked, load and follow

261[references/about-senpi.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/about-senpi.md)← text→about-senpi.md · href→raw.githubusercontent.com

262(`Summary Response Contract` section) for order, depth, and command behavior.

263

med

Link text shows "skill-recommendations.md" but points at raw.githubusercontent.com

The visible link text contains the domain `skill-recommendations.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 267CWE-601

▾

265

266Consult

267[references/skill-recommendations.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/skill-recommendations.md)← text→skill-recommendations.md · href→raw.githubusercontent.com

268for the goal-to-skill mapping, budget guidance, and install commands.

269

View latest scan →

skillox.io/c/senpi-entrypoint

Skill facts

Latest grade: C · 55
Total scans: 1
Latest version: —
Last scanned: 2026-05-28
Source: senpi-ai/senpi-skills

AIBOM

What this skill accesses

No manifest

Declared (from capabilities)

No capabilities block in frontmatter — the skill doesn't state what it should access.

Observed (from scan findings)

Nothing observed in the body.

AIBOM (Application Skills Bill of Materials) — see /docs/concepts/aibom for the format.

Version history

Only this scan

No other scans on record for this skill name. New scans appear here as the catalog re-crawls or creators request a re-scan.

Embed badge

Show this grade in your README.

Tracks the latest grade automatically. Updates within five minutes of every re-scan.

Markdown

[![SkillOx grade](https://api.skillox.io/badge/senpi-entrypoint.svg)](https://skillox.io/c/senpi-entrypoint)

Markdown · score

[![SkillOx score](https://api.skillox.io/badge/score/senpi-entrypoint.svg)](https://skillox.io/c/senpi-entrypoint)

HTML

<a href="https://skillox.io/c/senpi-entrypoint"><img src="https://api.skillox.io/badge/senpi-entrypoint.svg" alt="SkillOx grade"/></a>

reST

.. image:: https://api.skillox.io/badge/senpi-entrypoint.svg
   :target: https://skillox.io/c/senpi-entrypoint
   :alt: SkillOx grade

Coming soon

Creator verification badge, expert-review status, and Cosign-signed release attestation appear here as those layers ship. AIBOM + version history are live; the others follow once the creator portal completes its identity-proof + signing surface.