Find Arbitrage Opps
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears aligned with its stated price-comparison purpose, but users should notice that it uses Hummingbot API credentials and suggests running a remote setup script.
Before installing, confirm you trust the Hummingbot environment this skill will contact, check that HUMMINGBOT_API_URL points to the intended API, and inspect the remote prerequisite script before running it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote script changes or is not trustworthy, running it could execute commands on the user's machine.
The prerequisite command executes a remote script from GitHub that is not included in the reviewed artifacts. It is user-directed and disclosed, but users should trust and inspect it before running.
bash <(curl -s https://raw.githubusercontent.com/hummingbot/skills/main/skills/lp-agent/scripts/check_prerequisites.sh)
Review the referenced script before running it, prefer a pinned commit or packaged local helper, and avoid piping remote shell scripts directly into bash unless you trust the source.
The skill will send the configured Hummingbot API username and password to HUMMINGBOT_API_URL, so a wrong or untrusted URL could expose those credentials.
The script authenticates to the configured Hummingbot API using credentials loaded from environment or .env files. This is expected for the integration, but it is sensitive authority and is not declared in the registry metadata.
"user": os.environ.get("API_USER", "admin"), "password": os.environ.get("API_PASS", "admin") ... "Authorization": f"Basic {credentials}"Set HUMMINGBOT_API_URL only to a trusted local or controlled Hummingbot API endpoint, use dedicated credentials where possible, and avoid running the script from directories with unrelated .env files.