ClawHub
Back to skill
v1.0.0

Find Arbitrage Opps

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:10 AM.

Analysis

The skill appears aligned with its stated price-comparison purpose, but users should notice that it uses Hummingbot API credentials and suggests running a remote setup script.

GuidanceBefore installing, confirm you trust the Hummingbot environment this skill will contact, check that HUMMINGBOT_API_URL points to the intended API, and inspect the remote prerequisite script before running it.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
bash <(curl -s https://raw.githubusercontent.com/hummingbot/skills/main/skills/lp-agent/scripts/check_prerequisites.sh)

The prerequisite command executes a remote script from GitHub that is not included in the reviewed artifacts. It is user-directed and disclosed, but users should trust and inspect it before running.

User impactIf the remote script changes or is not trustworthy, running it could execute commands on the user's machine.
RecommendationReview the referenced script before running it, prefer a pinned commit or packaged local helper, and avoid piping remote shell scripts directly into bash unless you trust the source.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/find_arb_opps.py
"user": os.environ.get("API_USER", "admin"), "password": os.environ.get("API_PASS", "admin") ... "Authorization": f"Basic {credentials}"

The script authenticates to the configured Hummingbot API using credentials loaded from environment or .env files. This is expected for the integration, but it is sensitive authority and is not declared in the registry metadata.

User impactThe skill will send the configured Hummingbot API username and password to HUMMINGBOT_API_URL, so a wrong or untrusted URL could expose those credentials.
RecommendationSet HUMMINGBOT_API_URL only to a trusted local or controlled Hummingbot API endpoint, use dedicated credentials where possible, and avoid running the script from directories with unrelated .env files.