ClawHub

Hummingbot

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Hummingbot trading helper, but it can use exchange credentials and affect live trading with weak safeguards, so it needs Review before install.

Install only if you intend to let an agent control a Hummingbot trading setup. Use paper trading first, set strong Hummingbot API credentials instead of defaults, avoid passing exchange secrets on the command line, disable withdrawal permissions on exchange keys, and require explicit human approval before starting bots, stopping bots, placing orders, canceling orders, or using leveraged strategies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation indicates use of environment variables and localhost network access to a trading API, but the manifest does not declare corresponding permissions. In an agent setting, undeclared access to credentials and networked trading endpoints reduces transparency and can bypass policy review, especially because the skill handles exchange API keys and bot control.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
A description-behavior mismatch is dangerous because users and policy systems may approve the skill for limited CLI-style bot operations while the actual capability surface appears broader, including account/credential management, trading actions, market data access, and deployment/log interfaces. In a financial trading context, understated capabilities materially increase the risk of unauthorized trades, exposure of sensitive data, and unsafe automation decisions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs users to provide exchange API keys and to invoke bot-stopping flows that may close positions, yet it omits safety guidance about credential leakage, trading permissions, fund exposure, and the financial consequences of liquidation or market orders. In a trading skill, missing warnings and safeguards can lead to real monetary loss and unsafe secret handling even if the underlying feature is intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document promotes an advanced leveraged perpetual-futures trading strategy, including aggressive example settings, without any explicit warning that users can incur rapid and substantial losses, including liquidation. In an agent skill context, this omission is more dangerous because the content may be treated as operational guidance and reused directly by users or downstream automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This documentation describes a live market-making strategy that places and refreshes real orders, but it does not prominently warn users about financial loss, unintended live trading, inventory risk, or exchange-specific execution behavior. In an agent skill context, omission of such warnings can mislead users into treating the strategy as informational or low-risk, increasing the chance of accidental deployment with real funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage examples and supported flags encourage users to provide API secrets on the command line, which can expose credentials through shell history, process listings, audit logs, and terminal recording tools. In a trading skill managing exchange credentials, this is particularly sensitive because leaked keys may allow account access, trading abuse, or fund loss depending on exchange permissions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The helper automatically loads API credentials from local .env files and falls back to the hardcoded default username/password admin/admin if none are set. In a trading/bot-control context, default credentials can allow unauthorized access to the Hummingbot API, and silent credential loading obscures which secrets are being used, increasing the chance of insecure deployment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cancel command executes a destructive trading action immediately, without any confirmation prompt, dry-run preview, or safety interlock. In a trading skill, this increases the chance of accidental or coerced order cancellation, which can materially affect active strategies, execution quality, and financial outcomes.

Credential Access

High
Category
Privilege Escalation
Content
def load_env():
    """Load .env file — first match wins."""
    for path in ENV_PATHS:
        if os.path.exists(path):
            with open(path) as f:
Confidence
78% confidence
Finding
.env

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal