The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/bot_status.py executes the docker ps command with static arguments to monitor the health of the Gateway container. This is a legitimate function for monitoring infrastructure.
[EXTERNAL_DOWNLOADS]: The skill performs HTTP requests using urllib.request to the configured HUMMINGBOT_API_URL to retrieve status and portfolio information. The automated scanner's alert for remote code execution is a false positive; while the script downloads data, it is parsed as JSON and displayed, not executed as code.
[CREDENTIALS_UNSAFE]: Authentication credentials for the Hummingbot API are managed via environment variables. The presence of default 'admin' values in the documentation and example files is for local setup guidance and does not constitute a hardcoded secret exposure.
[PROMPT_INJECTION]: The skill ingests data from external API endpoints and includes this data in its output, which is intended to be relayed by the agent to a chat channel. This creates a surface for indirect prompt injection if the API content is attacker-controlled. (Ingestion: scripts/bot_status.py; Boundary markers: None; Capability: subprocess for docker ps; Sanitization: ID truncation).

hummingbot-heartbeat