find-xemm-opps

The reviewed skill is functionally benign: it computes cross-exchange market-making opportunity metrics by querying a local Hummingbot API and aggregating order-book data. There is no explicit malicious logic in the provided fragment. However, there are notable supply-chain and credential-security concerns: the README recommends a curl|bash remote script execution (high-risk), example credentials are insecure, and the documentation lacks guidance to use least-privilege/read-only exchange API keys. These factors create a medium security risk in realistic deployments because they increase the chance of credential exposure or remote code execution if users follow quick-install instructions without verification. Recommended mitigations: avoid pipe-to-shell installs (clone and inspect or use signed releases), never use sample/admin credentials in production, prefer read-only API keys for market-data tasks, audit .env locations before running, and limit API key scopes and rotate test keys frequently.