Back to skill
Skillv1.0.0
VirusTotal security
Hummingbot Deploy · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:42 AM
- Hash
- ce490c52ddc0d9671574119a804e880af2484ba21a4525ce110716d0d7220430
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hummingbot-deploy Version: 1.0.0 The skill bundle is classified as suspicious due to several high-risk practices and vulnerabilities. Most notably, it repeatedly uses the `bash <(curl -s ...)` pattern in SKILL.md to execute remote scripts (check_env.sh, install_mcp.sh, verify.sh), which is a significant Remote Code Execution (RCE) vulnerability if the remote GitHub repository is compromised. Additionally, SKILL.md contains a highly suspicious custom `sudo` shim creation for container environments, which bypasses standard privilege escalation mechanisms. The skill also employs direct prompt injection against the AI agent, instructing it to execute its own CLI with constructed `docker run` commands (scripts/install_mcp.sh), including passing sensitive credentials as environment variables, further increasing the attack surface.
- External report
- View on VirusTotal