ClawHub

Hummingbot Developer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Hummingbot developer setup skill, but it uses insecure local defaults and powerful install/service actions that should be reviewed before running.

Install only on an isolated local development machine after reviewing the shell scripts. Do not use real trading, exchange, wallet, or production credentials with the generated defaults. Replace admin/admin and the gateway passphrase before exposing any service, avoid port forwarding the API or Gateway, and back up any existing hummingbot-api .env before running install_all.sh.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation uses default credentials `admin:admin` for API access and does not clearly warn that they must be changed or restricted to isolated local-only use. If the API is exposed beyond localhost, these credentials are trivial to guess and can enable unauthorized bot deployment or broader control over the trading stack.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents running Gateway in `--dev` HTTP mode without TLS and does not prominently warn that traffic is plaintext and should not be exposed to untrusted networks. Even if intended for local development, users often port-forward, bind broadly, or run on shared hosts, which can expose passphrases, requests, or operational metadata.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script unconditionally overwrites the API .env file with hardcoded credentials and connection settings, which can destroy an existing developer configuration and silently replace stronger secrets with known defaults. In a developer/install skill this is especially risky because the file contains authentication and database settings that may later be used beyond a purely local throwaway environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Sourcing $WORKSPACE/.dev-branches executes arbitrary shell code from that file in the current process, not just variable assignments. If an attacker can modify that file, running this installer results in arbitrary command execution with the user's privileges before any validation occurs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script passes the gateway passphrase as a command-line argument to `node`, which can expose the secret through process listings, shell history, job control output, and local monitoring tools accessible to other users on the same host. In this developer-stack context, the risk is somewhat normalized but still real because the script explicitly automates handling of a sensitive credential in an unsafe way.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal