Back to skill
Skillv1.0.0
VirusTotal security
Hummingbot Developer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:40 AM
- Hash
- a51a5d195bdd9151e1875322db745f393ab18cbebbf5aa749e476d3a5e924f0b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hummingbot-developer Version: 1.0.0 The skill bundle is classified as suspicious due to the use of risky practices common in developer workflows, such as `curl|bash` for installing system-level dependencies (Homebrew, nvm, Docker) in `scripts/install_deps.sh`, and `docker run` with host bind mounts for building components as described in `SKILL.md` and implemented in `scripts/build_all.sh`. Additionally, `scripts/install_all.sh` writes a `.env` file with hardcoded default development credentials (`admin:admin`), which, while intended for local development, represents a vulnerability if used in a production context. These capabilities, while powerful, are plausibly required for setting up a complex development environment and do not show clear evidence of intentional malicious behavior like data exfiltration or backdoor installation.
- External report
- View on VirusTotal