LP Agent
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill matches its LP-trading purpose, but it asks for wallet private keys, can run automated on-chain trading, installs unpinned infrastructure, and creates default admin credentials.
Only install this if you understand Hummingbot and Solana LP risks. Use a dedicated low-balance wallet, change default credentials before adding any wallet, verify the API is local and protected, pin or review the cloned Hummingbot API code, and require manual confirmation before any strategy opens or closes positions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API is reachable by another local process or exposed beyond localhost, default credentials could allow unauthorized control of trading operations.
The deployment script creates predictable default credentials for the Hummingbot API and broker, which are used to control trading infrastructure and wallets.
USERNAME=admin PASSWORD=admin CONFIG_PASSWORD=admin ... BROKER_USERNAME=admin BROKER_PASSWORD=password
Change all default passwords immediately, bind services only to trusted interfaces, and avoid adding funded wallets until authentication is hardened.
A wallet private key controls funds; entering it gives the local trading stack authority to use that wallet for on-chain transactions.
The wallet-add flow prompts for a Solana private key and sends it to the configured Hummingbot API/Gateway endpoint.
private_key = getpass.getpass("Enter private key (base58): ")
...
data = {
"chain": args.chain,
"private_key": private_key,
}
...
api_request("POST", "/accounts/gateway/add-wallet", data)Use a dedicated low-balance trading wallet, verify the API URL is trusted and local, and do not paste a main wallet or seed phrase.
The code executed during deployment can change over time and was not fully captured by this skill review.
The installer clones and later updates a remote repository without pinning a commit or release before running its Makefile/deployment commands.
REPO_URL="https://github.com/hummingbot/hummingbot-api.git" ... git clone "$REPO_URL" "$INSTALL_DIR" ... make setup ... make deploy ... git pull
Pin the Hummingbot API repository to a reviewed tag or commit, review the cloned files before deployment, and avoid automatic upgrades without review.
This can persistently change how later commands invoking sudo behave in that environment.
The install script can create a replacement sudo executable in a system path when running as root.
if [ "$(id -u)" = "0" ] && ! command -v sudo &>/dev/null; then
echo -e '#!/bin/bash\nwhile [[ "$1" == *=* ]]; do export "$1"; shift; done\nexec "$@"' > /usr/local/bin/sudo
chmod +x /usr/local/bin/sudo
fiAvoid running this installer as root on a normal host, review this behavior before use, and prefer a contained environment such as a disposable VM or container.
Misconfigured parameters or unintended execution can move funds, incur transaction fees, or create impermanent-loss exposure.
The skill is designed to operate automated LP strategies that can open, rebalance, and close on-chain positions.
**Run strategies** — Auto-rebalancing LP controller or single-position executor ... `run-strategy` — Run, monitor, and manage LP strategies
Require explicit user confirmation for every wallet addition, strategy creation, amount, price range, and stop/close action.