ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Connectors Available

v1.0.0

Check which exchanges work from your location and search for tokens with trading rules (min order size, price increment, order types).

0· 365·1 current·1 all-time
byMichael Feng@fengtality
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (test which exchange connectors are reachable and show trading rules) aligns with the included scripts and data. Minor mismatch: registry metadata lists no required env vars/credentials, but SKILL.md and scripts expect a Hummingbot API URL and credentials (HUMMINGBOT_API_URL, API_USER, API_PASS). This is expected for this functionality but the metadata omission is worth noting.
Instruction Scope
SKILL.md instructs running the provided scripts only. The scripts perform HTTP requests to the configured Hummingbot API, read/write data/trading_rules.json, and source .env files. They do not run arbitrary remote code or contact third-party endpoints beyond the configured API_URL. However, the scripts source and export variables from hummingbot-api/.env, ~/.hummingbot/.env, or .env (set -a; source ...), which will load any variables in those files into the environment before use.
Install Mechanism
No install spec or external downloads. This is an instruction-only skill with local shell/Python scripts included — low install risk.
Credentials
The only credentials used are API_URL/API_USER/API_PASS for the Hummingbot API (defaults shown as admin/admin). That is proportionate to the stated purpose. Caveat: scripts source .env files and export all variables, which could inadvertently load unrelated secrets; the scripts will send API_USER/API_PASS to whatever API_URL is set, so ensure API_URL is trusted.
Persistence & Privilege
Skill does not request persistent/system-level privileges, does not auto-enable itself (always:false), and only writes to its own data/trading_rules.json file. No modifications to other skills or system-wide config detected.
Assessment
This skill appears to do what it says: query a Hummingbot API for connector trading rules and search them. Before running it: 1) Confirm you run (or point to) a trusted Hummingbot API (HUMMINGBOT_API_URL). If you change the default to a remote host, you will be sending API_USER/API_PASS to that host. 2) Inspect any .env files found at hummingbot-api/.env, ~/.hummingbot/.env, or .env — the scripts source and export all variables from those files, which could load unrelated secrets. 3) Avoid using global/privileged credentials; create a dedicated, limited API user rather than using admin/admin. 4) Be aware test_all.sh will overwrite data/trading_rules.json with fetched results. 5) If you need higher assurance, run the scripts in an isolated environment (container or VM) and review the environment variables that will be loaded.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fastn4wb96f5gybhx4tyscx81y5qx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments