ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hummingbot Market Maker

v0.3.3

使用Hummingbot框架执行加密货币做市和套利策略,支持资金费率套利、流动性提供、价格监控等自动化交易场景。

0· 98·0 current·0 all-time
byTang Weigang@tangweigang-jpg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tangweigang-jpg/hummingbot-market-maker.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Hummingbot Market Maker" (tangweigang-jpg/hummingbot-market-maker) from ClawHub.
Skill page: https://clawhub.ai/tangweigang-jpg/hummingbot-market-maker
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install hummingbot-market-maker

ClawHub CLI

Package manager switcher

npx clawhub@latest install hummingbot-market-maker
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to run Hummingbot strategies (which normally need Python, Hummingbot/ZVT, and exchange API keys) but the registry lists no required binaries, no env vars, and no primary credential. The SKILL.md metadata itself says 'Requires Python 3.12+ with uv package manager' and the seed.yaml references zvt and workspace install recipes — this mismatch suggests the declared requirements are incomplete or omitted.
!
Instruction Scope
Runtime instructions (SKILL.md and seed.yaml) instruct the agent to re-read seed.yaml, run preconditions that execute python commands (import zvt, run pip install zvt, initialize data dirs), check/write to ZVT_HOME (~/.zvt), and follow a pipeline that can lead to trade execution. Those steps go beyond passive guidance: they call local commands, may create files in the user's home, and imply network/package installs. The instructions do not declare or limit access to exchange API keys but mention trading execution use cases.
Install Mechanism
There is no install spec (instruction-only), which lowers direct install risk. However seed.yaml's execution_protocol references executing host_adapter.install_recipes[] and the preconditions give pip install commands on failure — an implicit install path exists but is not declared in the registry. That mismatch is a hygiene/integrity concern (where/how required packages get installed is unspecified).
!
Credentials
The registry lists no required environment variables or primary credential, but SKILL.md/LOCKS.md reference ZVT_HOME and the preconditions involve checking/initializing ~/.zvt. More importantly, a trading skill normally needs exchange API keys (API_KEY/SECRET) but none are declared. The absence of declared credentials while instructions imply trading/backtesting is disproportionate and ambiguous.
Persistence & Privilege
always:false (normal) and autonomous invocation is allowed by default. The skill asks agents to reload seed.yaml and run preconditions and may create/read files under the workspace or ~/.zvt, but it does not request elevated system-wide privileges or modify other skills. Because autonomous invocation is default, combining it with unclear credential handling increases the blast radius — a caution but not by itself a disqualifier.
What to consider before installing
This skill appears to be a compiled Hummingbot/ZVT blueprint but the package metadata is incomplete. Before installing or using it: 1) Ask the publisher for provenance and a full install spec (how Python, uv, zvt, and hummingbot are installed). 2) Do not provide exchange API keys until you verify where and how the skill will use them; prefer running any trading operations manually or in a sandbox. 3) Expect the skill to run local Python commands (pip install, zvt.init_dirs) and to create files under ~/.zvt — run in an isolated environment or container. 4) Request a clear list of required environment variables and confirm they match the registry declarations. 5) If you plan to execute live trades, perform an independent code review or run only on testnet/simulated accounts first.

Like a lobster shell, security has layers — review code before you run it.

cryptovk97bcsgamv56m5x068nwxt5ntx85ds2adatavk97bcsgamv56m5x068nwxt5ntx85ds2adoramagic-crystalvk97bcsgamv56m5x068nwxt5ntx85ds2afinancevk97bcsgamv56m5x068nwxt5ntx85ds2alatestvk97bcsgamv56m5x068nwxt5ntx85ds2aquantvk97bcsgamv56m5x068nwxt5ntx85ds2a
98downloads
0stars
3versions
Updated 4d ago
v0.3.3
MIT-0
Tang Weigang@tangweigang-jpg
cryptodatadoramagic-crystalfinancelatestquant
Download

Hummingbot 做市机器人 (hummingbot-market-maker)

使用Hummingbot框架执行加密货币做市和套利策略,支持资金费率套利、流动性提供、价格监控等自动化交易场景。

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (14 total)

Funding Rate Arbitrage (UC-101)

Exploits funding rate differences between perpetual exchanges (e.g., Hyperliquid and Binance) to generate risk-adjusted returns using leverage Triggers: funding rate, arbitrage, perpetual

XRPL Triggered Liquidity Provision (UC-103)

Provides liquidity on XRPL (Ripple Ledger) decentralized exchange when price crosses user-defined target levels Triggers: xrpl, ripple, liquidity

Simple Cross Exchange Market Making (XEMM) (UC-108)

Places maker orders on one exchange and immediately hedges/hedging filled orders on another exchange to capture spread Triggers: xemm, cross-exchange, market making

For all 14 use cases, see references/USE_CASES.md.

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (13 total)

  • AP-CRYPTO-TRADING-001: Float Arithmetic for Monetary Values
  • AP-CRYPTO-TRADING-002: Missing Market Initialization Before Access
  • AP-CRYPTO-TRADING-003: Bypassing API Facade Layer

All 13 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-096. Evidence verify ratio = 46.3% and audit fail total = 30. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md13 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-096 blueprint at 2026-04-22T13:00:42.333686+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...