find-arbitrage-opps

This skill documentation describes a legitimate tool for finding arbitrage by querying a running Hummingbot API and using exchange connectors; the required credentials and local API access are consistent with its stated purpose. The primary security concern is the documented prereq that uses a curl | bash construct to fetch and execute a remote script from GitHub — this is a classic supply-chain/download-execute pattern and increases risk even when the source appears official. Additional concerns: probing multiple .env locations to find credentials and example default admin credentials. Recommended mitigations: do not run curl|bash blindly — fetch the script and inspect it before executing, use pinned release artifacts or package managers when possible, avoid default weak credentials, and restrict .env file access. Overall, I assess the package as not obviously malicious from the provided documentation, but with moderate supply-chain and credential exposure risk that warrants review of any referenced scripts before execution.