Hummingbot Deploy

This skill appears to do what it claims (deploy Hummingbot), but it has several risky behaviors you should consider before running it: - Do not blindly run curl|bash on remote URLs. Instead, inspect the scripts included in the package (they are present) or fetch them over HTTPS and verify their contents/commit hash first. - The scripts may source .env files (including ~/.hummingbot/.env). Back up and inspect any .env files before running to avoid accidentally exporting secrets into the install process. - The install will pull Docker images (including an unpinned :latest image) and create docker volumes. Consider pulling and inspecting images first, or run the install in an isolated VM/container. - The scripts may write /usr/local/bin/sudo (a shim) if running in a container scenario — avoid allowing writes to system paths on your host. Prefer running the command inside an intentionally provisioned container or VM. - The MCP install invokes your agent CLI (e.g., claude, gemini, codex) and embeds API credentials in a command string. That can cause credentials to be stored in CLI config or logs; use strong, non-default credentials and prefer secrets managed by the platform. - If you decide to proceed: run the included local scripts (not the ones fetched from raw.githubusercontent.com), pin Docker image digests instead of :latest, and run everything in an isolated environment first to verify behavior. If you want, I can: (a) produce a checklist of safe steps to run this installation in a sandbox; (b) summarize the exact lines in the scripts that read .env or write files so you can review them; or (c) rewrite the instructions to avoid curl|bash and ensure safer defaults.