hummingbot-deploy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs creating .env files with plaintext passwords and running CLI commands that include --user/--pass arguments (and asks to substitute actual credentials), which requires the agent to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs running and installing code fetched from public third‑party sources (e.g., curl -s https://raw.githubusercontent.com/hummingbot/skills/main/... and git clone https://github.com/hummingbot/...) to install components (including an MCP server that configures agent CLIs), so untrusted external content is fetched and executed as part of the required workflow and could therefore change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches and executes remote code at runtime (high-confidence examples: bash <(curl -s https://raw.githubusercontent.com/hummingbot/skills/main/skills/hummingbot-deploy/scripts/install_mcp.sh) and git clone https://github.com/hummingbot/hummingbot-api.git followed by make deploy), so external content is downloaded and executed as a required dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly installs and configures Hummingbot trading infrastructure — a trading API server that "exposes a standardized REST API for trading, fetching market data, and deploying bot strategies across many CEXs and DEXs." It also directs installing "Hummingbot Skills to enable trading capabilities" and an MCP server to let AI agents interact with the Hummingbot API. This is specifically designed to execute market orders / interact with exchanges (crypto/CEX/DEX trading), not a generic toolset, so it grants direct financial execution capability.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs writing a sudo shim into /usr/local/bin (modifying system files), running remote scripts via curl|bash, and making system-level changes (docker, permissions), which actively bypasses or alters host security and compromises machine state.