Back to skill
Skillv1.0.0
ClawScan security
Hummingbot Developer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 9:51 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's scripts and instructions are internally consistent with a developer tool for building and running Hummingbot/Gateway/API from source, but they perform local installs, edit shell config, and read/write local .env files — review before running on sensitive machines.
- Guidance
- This skill is coherent for Hummingbot development, but it performs local installation and environment changes. Before installing or running: 1) inspect scripts (install_deps.sh, install_all.sh, run_dev_stack.sh) yourself — they download/execute upstream installers (Miniconda, nvm/Homebrew, Docker install scripts) and run commands that modify your shell config and user groups; 2) run in an isolated environment (VM, disposable machine, or container) if you don't want those changes on your primary workstation; 3) back up your shell config (~/.bashrc, ~/.zshrc) before running conda/nvm init; 4) be aware the tool reads .env files (including ~/.hummingbot/.env) and will write a dev .env with default credentials in the API repo — remove or secure any sensitive values first; 5) avoid running installers as root; and 6) if you want to be extra cautious, run only the scripts you trust (e.g., run check_env.sh and select_branches.sh first, and manually perform installs rather than using install_deps.sh).
Review Dimensions
- Purpose & Capability
- okName/description match the included scripts: the repo-level scripts implement installing dependencies, selecting branches, installing repos, building wheels/images, running the dev stack, and running integration tests. The tools referenced (conda, node/pnpm, docker, git) are appropriate for the stated developer workflow.
- Instruction Scope
- noteInstructions and scripts operate on local workspace paths and developer repos, start/stop local services, and run integration tests against localhost. They also read .env files (hummingbot-api/.env, ~/.hummingbot/.env, .env) and examine conda envs and git state — behavior that is expected for a dev/test tool but means the skill will access local configuration and credentials stored in those files.
- Install Mechanism
- noteThere is no registry install spec, but the included install_deps.sh downloads and runs upstream installers (Miniconda from repo.anaconda.com, Homebrew installer from raw.githubusercontent.com, nvm install script, get.docker.com, etc.). These are well-known sources for developer tooling but executing remote install scripts and curl|bash-style actions is higher-risk than pure local operations; users should inspect the scripts and be comfortable with these installers before running them.
- Credentials
- noteThe skill declares no required environment variables, but scripts use many environment variables (WORKSPACE, HUMMINGBOT_DIR, GATEWAY_DIR, HUMMINGBOT_API_DIR, HUMMINGBOT_API_URL, GATEWAY_URL, API_USER/API_PASS, GATEWAY_PASSPHRASE, etc.) and will write a dev API .env (with default credentials) into the repo. The scripts also read .env files from user locations which may contain secrets; this is plausible for integration testing but worth noting before installing/run.
- Persistence & Privilege
- noteThe skill does not request always:true or global privileges. It writes files into the workspace (e.g., .dev-branches, .env, .setup-complete, .gateway.log, .dev-pids), runs conda init (which modifies shell config), and may add the user to the docker group on Linux (usermod) — all reasonable for a dev workflow but they alter local environment and user shell configuration.