Skillv1.0.0

ClawScan security

Connectors Available · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 27, 2026, 9:46 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: Scripts and instructions match the stated purpose (testing Hummingbot connectors and searching trading rules), with minor metadata and sensitive-file handling notes you should review before running.
Guidance: This skill appears to do what it says: query a Hummingbot API for connector trading rules and search them. Before running it: 1) Confirm you run (or point to) a trusted Hummingbot API (HUMMINGBOT_API_URL). If you change the default to a remote host, you will be sending API_USER/API_PASS to that host. 2) Inspect any .env files found at hummingbot-api/.env, ~/.hummingbot/.env, or .env — the scripts source and export all variables from those files, which could load unrelated secrets. 3) Avoid using global/privileged credentials; create a dedicated, limited API user rather than using admin/admin. 4) Be aware test_all.sh will overwrite data/trading_rules.json with fetched results. 5) If you need higher assurance, run the scripts in an isolated environment (container or VM) and review the environment variables that will be loaded.

Review Dimensions

Purpose & Capability: noteThe name/description (test which exchange connectors are reachable and show trading rules) aligns with the included scripts and data. Minor mismatch: registry metadata lists no required env vars/credentials, but SKILL.md and scripts expect a Hummingbot API URL and credentials (HUMMINGBOT_API_URL, API_USER, API_PASS). This is expected for this functionality but the metadata omission is worth noting.
Instruction Scope: noteSKILL.md instructs running the provided scripts only. The scripts perform HTTP requests to the configured Hummingbot API, read/write data/trading_rules.json, and source .env files. They do not run arbitrary remote code or contact third-party endpoints beyond the configured API_URL. However, the scripts source and export variables from hummingbot-api/.env, ~/.hummingbot/.env, or .env (set -a; source ...), which will load any variables in those files into the environment before use.
Install Mechanism: okNo install spec or external downloads. This is an instruction-only skill with local shell/Python scripts included — low install risk.
Credentials: noteThe only credentials used are API_URL/API_USER/API_PASS for the Hummingbot API (defaults shown as admin/admin). That is proportionate to the stated purpose. Caveat: scripts source .env files and export all variables, which could inadvertently load unrelated secrets; the scripts will send API_USER/API_PASS to whatever API_URL is set, so ensure API_URL is trusted.
Persistence & Privilege: okSkill does not request persistent/system-level privileges, does not auto-enable itself (always:false), and only writes to its own data/trading_rules.json file. No modifications to other skills or system-wide config detected.