senpi-entrypoint
github.com/senpi-ai/senpi-skills
Scanned Thu, 28 May 2026 17:40:33 GMT
Scan ID crawl-lhrmqi6j6nab7qjodpdg34lx · 2ms
C
SCORE 55 / 100
Verdict: Proceed with caution
11 medium findings.
This skill ships without a capability manifest plus 10 other issues listed below.
0 critical0 high11 medium1 rules passed
Why grade C?
score · 55 / 100The current grade reflects 11 medium findings (6+ MEDs → C).
0 CRIT0 HIGH11 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 6 of 11 MED (cap is 5).
- AReach Atarget score 95
Resolve 9 of 11 MED (cap is 2).
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestmedLink text shows "about-senpi.md" but points at raw.githubusercontent.comThe visible link text contains the domain `about-senpi.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "about-senpi.md" but points at raw.githubusercontent.com
The visible link text contains the domain `about-senpi.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
24
25For platform context (wallets, strategies, tool categories, fees), see
26[references/about-senpi.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/about-senpi.md).← text→about-senpi.md · href→raw.githubusercontent.com
27
28
medLink text shows "error-handling.md" but points at raw.githubusercontent.comThe visible link text contains the domain `error-handling.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "error-handling.md" but points at raw.githubusercontent.com
The visible link text contains the domain `error-handling.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
28
29If any `npx` command fails, consult
30[references/error-handling.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/error-handling.md) for recovery← text→error-handling.md · href→raw.githubusercontent.com
31steps.
32
medLink text shows "skill-update-checker.md" but points at raw.githubusercontent.comThe visible link text contains the domain `skill-update-checker.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "skill-update-checker.md" but points at raw.githubusercontent.com
The visible link text contains the domain `skill-update-checker.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
66Before responding to any query in this skill, run the mandatory invocation
67check in
68[references/skill-update-checker.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/skill-update-checker.md)← text→skill-update-checker.md · href→raw.githubusercontent.com
69(`Pre-Response Invocation Check` section) exactly once per invocation, then
70reuse the captured `UPDATE_OUTPUT` for all downstream response contracts.
medLink text shows "post-onboarding.md" but points at raw.githubusercontent.comThe visible link text contains the domain `post-onboarding.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "post-onboarding.md" but points at raw.githubusercontent.com
The visible link text contains the domain `post-onboarding.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
71Do not run the same check a second time in the same invocation.
72
73**Arena intent hard-gate:** If the user's message contains "arena", "agents arena", "competition", "prize pool", "qualify", "qualification", "weekly cycle", or "weekly competition" — call `read_senpi_guide(uri="senpi://guides/arena")` before composing any answer. Do not use web search or leaderboard data for Arena questions. Full routing rules in [references/post-onboarding.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/post-onboarding.md).← text→post-onboarding.md · href→raw.githubusercontent.com
74
75---
medLink text shows "post-onboarding.md" but points at raw.githubusercontent.comThe visible link text contains the domain `post-onboarding.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "post-onboarding.md" but points at raw.githubusercontent.com
The visible link text contains the domain `post-onboarding.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
123
124Send the welcome message from the **Post-Onboarding Welcome** section of
125[post-onboarding.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/post-onboarding.md).← text→post-onboarding.md · href→raw.githubusercontent.com
126Do not add balance or funding text — you do not have balance data yet; Step 2.5 fetches it and surfaces the appropriate funding message. Present the full welcome template (including the three options and the Agents Arena line) and wait for the user to respond.
127
medLink text shows "skill-update-checker.md" but points at raw.githubusercontent.comThe visible link text contains the domain `skill-update-checker.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "skill-update-checker.md" but points at raw.githubusercontent.com
The visible link text contains the domain `skill-update-checker.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
190
191Agent behaviour for this step: see
192[references/skill-update-checker.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/skill-update-checker.md)← text→skill-update-checker.md · href→raw.githubusercontent.com
193(§ "Step 5 Agent Behaviour").
194
medLink text shows "skill-update-checker.md" but points at raw.githubusercontent.comThe visible link text contains the domain `skill-update-checker.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "skill-update-checker.md" but points at raw.githubusercontent.com
The visible link text contains the domain `skill-update-checker.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
237
238If the user asks to turn notifications off or back on, follow the procedure in
239[references/skill-update-checker.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/skill-update-checker.md).← text→skill-update-checker.md · href→raw.githubusercontent.com
240
241---
medLink text shows "about-senpi.md" but points at raw.githubusercontent.comThe visible link text contains the domain `about-senpi.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "about-senpi.md" but points at raw.githubusercontent.com
The visible link text contains the domain `about-senpi.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
246
247For any summary or Q&A response, follow
248[references/about-senpi.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/about-senpi.md)← text→about-senpi.md · href→raw.githubusercontent.com
249(`Summary Response Contract` and `Mandatory Invocation Procedure` sections).
250Use the `UPDATE_OUTPUT` produced by the top-level `Pre-Response Check` above;
medLink text shows "about-senpi.md" but points at raw.githubusercontent.comThe visible link text contains the domain `about-senpi.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "about-senpi.md" but points at raw.githubusercontent.com
The visible link text contains the domain `about-senpi.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
259
260When asked, load and follow
261[references/about-senpi.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/about-senpi.md)← text→about-senpi.md · href→raw.githubusercontent.com
262(`Summary Response Contract` section) for order, depth, and command behavior.
263
medLink text shows "skill-recommendations.md" but points at raw.githubusercontent.comThe visible link text contains the domain `skill-recommendations.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "skill-recommendations.md" but points at raw.githubusercontent.com
The visible link text contains the domain `skill-recommendations.md`, but the URL actually targets `raw.githubusercontent.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
265
266Consult
267[references/skill-recommendations.md](https://raw.githubusercontent.com/Senpi-ai/senpi-skills/refs/heads/main/senpi-entrypoint/references/skill-recommendations.md)← text→skill-recommendations.md · href→raw.githubusercontent.com
268for the goal-to-skill mapping, budget guidance, and install commands.
269
skillox.io/r/crawl-lhrmqi6j6nab7qjodpdg34lx