Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hummingbot Developer
v1.0.0Developer skill for running Hummingbot and Gateway from source, building wheel and Docker images, and testing against Hummingbot API running from source. Use...
⭐ 0· 354·1 current·1 all-time
byMichael Feng@fengtality
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts: the repo-level scripts implement installing dependencies, selecting branches, installing repos, building wheels/images, running the dev stack, and running integration tests. The tools referenced (conda, node/pnpm, docker, git) are appropriate for the stated developer workflow.
Instruction Scope
Instructions and scripts operate on local workspace paths and developer repos, start/stop local services, and run integration tests against localhost. They also read .env files (hummingbot-api/.env, ~/.hummingbot/.env, .env) and examine conda envs and git state — behavior that is expected for a dev/test tool but means the skill will access local configuration and credentials stored in those files.
Install Mechanism
There is no registry install spec, but the included install_deps.sh downloads and runs upstream installers (Miniconda from repo.anaconda.com, Homebrew installer from raw.githubusercontent.com, nvm install script, get.docker.com, etc.). These are well-known sources for developer tooling but executing remote install scripts and curl|bash-style actions is higher-risk than pure local operations; users should inspect the scripts and be comfortable with these installers before running them.
Credentials
The skill declares no required environment variables, but scripts use many environment variables (WORKSPACE, HUMMINGBOT_DIR, GATEWAY_DIR, HUMMINGBOT_API_DIR, HUMMINGBOT_API_URL, GATEWAY_URL, API_USER/API_PASS, GATEWAY_PASSPHRASE, etc.) and will write a dev API .env (with default credentials) into the repo. The scripts also read .env files from user locations which may contain secrets; this is plausible for integration testing but worth noting before installing/run.
Persistence & Privilege
The skill does not request always:true or global privileges. It writes files into the workspace (e.g., .dev-branches, .env, .setup-complete, .gateway.log, .dev-pids), runs conda init (which modifies shell config), and may add the user to the docker group on Linux (usermod) — all reasonable for a dev workflow but they alter local environment and user shell configuration.
Assessment
This skill is coherent for Hummingbot development, but it performs local installation and environment changes. Before installing or running: 1) inspect scripts (install_deps.sh, install_all.sh, run_dev_stack.sh) yourself — they download/execute upstream installers (Miniconda, nvm/Homebrew, Docker install scripts) and run commands that modify your shell config and user groups; 2) run in an isolated environment (VM, disposable machine, or container) if you don't want those changes on your primary workstation; 3) back up your shell config (~/.bashrc, ~/.zshrc) before running conda/nvm init; 4) be aware the tool reads .env files (including ~/.hummingbot/.env) and will write a dev .env with default credentials in the API repo — remove or secure any sensitive values first; 5) avoid running installers as root; and 6) if you want to be extra cautious, run only the scripts you trust (e.g., run check_env.sh and select_branches.sh first, and manually perform installs rather than using install_deps.sh).Like a lobster shell, security has layers — review code before you run it.
latestvk97d3vhej5606b7qak0j3nm7wh81zfjz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.