Skills
skills/hummingbot/skills/hummingbot-developer/Gen Agent Trust Hub

hummingbot-developer

Pass

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads several standard developer tools and installers from well-known and trusted sources.
  • Fetches the Homebrew installation script from GitHub (raw.githubusercontent.com/Homebrew/install/HEAD/install.sh).
  • Downloads Miniconda installers from Anaconda's official repository (repo.anaconda.com).
  • Downloads the Node Version Manager (NVM) install script (raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh).
  • Downloads the official Docker installation script (get.docker.com).
  • [COMMAND_EXECUTION]: The skill makes extensive use of system commands to manage the developer environment, which is the primary purpose of the skill.
  • Uses make install and conda to create and manage Python environments for Hummingbot and the API.
  • Uses pnpm install and pnpm build to compile the Gateway TypeScript source code.
  • Uses docker build and docker compose to build and manage infrastructure services like Postgres and EMQX.
  • Includes a sudo usermod command in install_deps.sh to configure Docker group permissions on Linux systems.
  • [CREDENTIALS_UNSAFE]: Several scripts and configuration examples contain default credentials intended for local development environments.
  • scripts/install_all.sh writes a .env file with default values: USERNAME=admin, PASSWORD=admin, BROKER_PASSWORD=password, and DATABASE_URL=postgresql+asyncpg://hbot:hummingbot-api@localhost:5432/hummingbot_api.
  • Documentation and scripts reference a default Gateway passphrase (hummingbot).
  • These credentials are restricted to local services (localhost) and are consistent with standard developer environment defaults.
  • [REMOTE_CODE_EXECUTION]: Automated alerts regarding remote code execution were evaluated as false positives.
  • The curl | python3 pattern found in SKILL.md is specifically used for JSON formatting via the standard python3 -m json.tool module, not for executing remote scripts.
  • The network operations in scripts/test_integration.py using urllib.request.urlopen are strictly used for health-checking local services (localhost:8000 and localhost:15888) and do not execute the retrieved content.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 1, 2026, 09:56 AM