find-arbitrage-opps
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The SKILL.md documentation includes a prerequisite command that downloads and executes a shell script directly from the vendor's GitHub repository:
bash <(curl -s https://raw.githubusercontent.com/hummingbot/skills/main/skills/lp-agent/scripts/check_prerequisites.sh). Since the source is the official repository of the skill's author ('hummingbot'), this is considered a trusted administrative action. - [EXTERNAL_DOWNLOADS]: The skill's Python script (
scripts/find_arb_opps.py) makes network requests to a locally hosted or configured Hummingbot API (HUMMINGBOT_API_URL) to fetch exchange data and prices. These requests are restricted to the user's own infrastructure. - [COMMAND_EXECUTION]: The documentation provides examples of executing a local Python script (
python scripts/find_arb_opps.py) with various arguments to perform its primary function. This is standard behavior for a CLI-based tool. - [CREDENTIALS_UNSAFE]: The script (
scripts/find_arb_opps.py) loads API credentials (API_USER,API_PASS) from local.envfiles. It uses these credentials for Basic Authentication when communicating with the Hummingbot API. The credentials remain within the local environment and are not sent to any unauthorized third-party services.
Audit Metadata