hummingbot-deploy

The skill provides plausible, useful automation for deploying Hummingbot components, but it includes several high-risk supply-chain and operational patterns. Primary concerns are multiple download-and-execute instructions that fetch unpinned shell scripts from GitHub raw URLs, explicit passing and storage of plaintext credentials (including weak defaults), creation of a local sudo shim, and instructions to install additional skills and agent-specific tooling — all of which widen the trust surface and enable credential exposure or malicious updates. There is no direct evidence of intentionally malicious code inside the provided text, but the combination of unpinned remote execution, credential forwarding, and transitive installs represents a significant supply-chain risk. Recommend treating this skill as potentially dangerous: do not run remote scripts unreviewed, replace weak defaults, pin commit SHAs for clones and raw script URLs, avoid passing secrets on CLI, and review any transitive skill packages before installation.