Skillv1.0.0

ClawScan security

Hummingbot Deploy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 9:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's actions generally match its stated purpose (deploying Hummingbot components) but several runtime instructions and scripts perform system modifications, source arbitrary .env files, and instruct downloading+executing remote scripts — behaviors that are disproportionate or risky for a simple deploy helper.
Guidance: This skill appears to do what it claims (deploy Hummingbot), but it has several risky behaviors you should consider before running it: - Do not blindly run curl|bash on remote URLs. Instead, inspect the scripts included in the package (they are present) or fetch them over HTTPS and verify their contents/commit hash first. - The scripts may source .env files (including ~/.hummingbot/.env). Back up and inspect any .env files before running to avoid accidentally exporting secrets into the install process. - The install will pull Docker images (including an unpinned :latest image) and create docker volumes. Consider pulling and inspecting images first, or run the install in an isolated VM/container. - The scripts may write /usr/local/bin/sudo (a shim) if running in a container scenario — avoid allowing writes to system paths on your host. Prefer running the command inside an intentionally provisioned container or VM. - The MCP install invokes your agent CLI (e.g., claude, gemini, codex) and embeds API credentials in a command string. That can cause credentials to be stored in CLI config or logs; use strong, non-default credentials and prefer secrets managed by the platform. - If you decide to proceed: run the included local scripts (not the ones fetched from raw.githubusercontent.com), pin Docker image digests instead of :latest, and run everything in an isolated environment first to verify behavior. If you want, I can: (a) produce a checklist of safe steps to run this installation in a sandbox; (b) summarize the exact lines in the scripts that read .env or write files so you can review them; or (c) rewrite the instructions to avoid curl|bash and ensure safer defaults.

Review Dimensions

Purpose & Capability: okName/description match the files and commands: scripts clone repos, run docker/docker-compose, and configure an MCP and Condor. Required binaries and envs are not declared but the check_env.sh enforces Docker/Git/Make presence, which is consistent with deployment.
Instruction Scope: concernRuntime instructions direct the agent/user to curl|bash remote scripts on raw.githubusercontent.com and to run scripts that source the first matching .env from hummingbot-api/.env, ~/.hummingbot/.env, or .env — which can export unrelated local secrets. The guide also instructs creating a sudo shim at /usr/local/bin/sudo on container hosts and running an agent CLI command that embeds API credentials into a docker run command. These actions go beyond a minimal deploy helper and may touch unrelated user files/config and modify system paths.
Install Mechanism: noteThere is no formal install spec in the registry bundle (instruction-only), but the SKILL.md repeatedly instructs executing scripts fetched at runtime via curl from raw.githubusercontent.com. Running remote scripts is higher-risk than using local files; the package does include the same scripts locally, but the instructions prefer fetching remote copies (which could differ). The MCP image is pulled from Docker Hub as :latest (unpinned), which is expected but less secure than a pinned digest.
Credentials: noteThe skill does not declare required credentials, which is plausible because it defaults to admin/admin. However, scripts read and export .env files (including ~/.hummingbot/.env) and embed API credentials into docker run commands and into the agent CLI registration command — potentially exposing secrets to CLI history, container volumes, or other local tooling. This access is not explicitly declared in the metadata and is more than minimal.
Persistence & Privilege: concernThe skill does not request 'always', but scripts may write to the host (/usr/local/bin/sudo shim) and create docker volumes and images, and they register an MCP entry via the agent CLI. Writing an executable into /usr/local/bin on a host is a notable privilege elevation/persistence action and should not be performed without explicit user consent or sandboxing.