← 返回 Skills 市场

Find Arbitrage Opps

Name: Find Arbitrage Opps
Author: fengtality

作者 Michael Feng · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

456

总下载

当前安装

版本数

在 OpenClaw 中安装

/install find-arbitrage-opps

功能描述

Find arbitrage opportunities across exchanges by comparing prices for fungible token pairs like BTC/WBTC and USDT/USDC.

使用说明 (SKILL.md)

find-arbitrage-opps

Find arbitrage opportunities across all Hummingbot-connected exchanges by comparing prices for a trading pair, accounting for fungible tokens (e.g., BTC = WBTC, USDT = USDC).

Prerequisites

Hummingbot API must be running with exchange connectors configured:

bash \x3C(curl -s https://raw.githubusercontent.com/hummingbot/skills/main/skills/lp-agent/scripts/check_prerequisites.sh)

Workflow

Step 1: Define Token Mappings

User specifies the base and quote tokens, including fungible equivalents:

Base tokens: BTC, WBTC, cbBTC (all represent Bitcoin)
Quote tokens: USDT, USDC, USD (all represent USD)

Step 2: Find Arbitrage Opportunities

# Basic usage - find BTC/USDT arb opportunities
python scripts/find_arb_opps.py --base BTC --quote USDT

# Include fungible tokens
python scripts/find_arb_opps.py --base BTC,WBTC --quote USDT,USDC

# More examples
python scripts/find_arb_opps.py --base ETH,WETH --quote USDT,USDC,USD
python scripts/find_arb_opps.py --base SOL --quote USDT,USDC --min-spread 0.1

# Filter by specific connectors
python scripts/find_arb_opps.py --base BTC --quote USDT --connectors binance,kraken,coinbase

Step 3: Analyze Results

The script outputs:

Prices from each exchange
Best bid/ask across all exchanges
Arbitrage spread (buy low, sell high)
Recommended pairs for arbitrage

Script Options

python scripts/find_arb_opps.py --help

Option	Description
`--base`	Base token(s), comma-separated (e.g., BTC,WBTC)
`--quote`	Quote token(s), comma-separated (e.g., USDT,USDC)
`--connectors`	Filter to specific connectors (optional)
`--min-spread`	Minimum spread % to show (default: 0.0)
`--json`	Output as JSON

Output Example

Arbitrage Opportunities: BTC vs USDT
=====================================

Prices Found:
  binance          BTC-USDT     $67,234.50
  kraken           BTC-USD      $67,289.00
  coinbase         BTC-USD      $67,312.25
  okx              BTC-USDT     $67,198.00
  hyperliquid      BTC-USD      $67,245.00

Best Opportunities:
  Buy  okx BTC-USDT @ $67,198.00
  Sell coinbase BTC-USD @ $67,312.25
  Spread: 0.17% ($114.25)

Environment Variables

export HUMMINGBOT_API_URL=http://localhost:8000
export API_USER=admin
export API_PASS=admin

Scripts check for .env in: ./hummingbot-api/.env → ~/.hummingbot/.env → .env

Requirements

Hummingbot API running
Exchange connectors configured with API keys

安全使用建议

This skill appears to implement what it claims (queries a local Hummingbot API for prices and finds spreads), but there are red flags you should address before installing or running it: - Do NOT blindly run the suggested `bash <(curl -s https://raw.githubusercontent.com/...)` command. That fetches and executes a remote script; inspect its contents first (view the URL in a browser or curl it to a file and read it). - The registry metadata says no env vars, but the script expects HUMMINGBOT_API_URL, API_USER, API_PASS and that exchange connectors are configured with API keys. Provide only least-privileged credentials and avoid using default admin/admin. - The Python script reads .env files from common Hummingbot locations. Those files can contain secrets; verify which .env will be loaded and ensure it doesn't expose unrelated credentials. - Network scope: the script only contacts the configured HUMMINGBOT_API_URL endpoints (connectors, trading-rules, market-data/prices) and uses HTTP Basic auth. Ensure that HUMMINGBOT_API_URL points to a trusted/local service (e.g., localhost) and that the API user has limited permissions. - If you’re unsure, run the script in an isolated environment/container with no sensitive .env mounted, inspect the script code (already included), and manually perform any prerequisite checks rather than executing remote installers. If you want, I can: (a) fetch and show the contents of the referenced prerequisite script URL for review, (b) summarize the full Python file (it was truncated in input) to confirm there are no hidden exfiltration routines, or (c) suggest a safe run checklist/command set to test the skill in isolation.

功能分析

Type: OpenClaw Skill Name: find-arbitrage-opps Version: 1.0.0 The skill is classified as suspicious primarily due to the `curl | bash` pattern found in the `SKILL.md` file under the 'Prerequisites' section. This command (`bash <(curl -s https://raw.githubusercontent.com/hummingbot/skills/main/skills/lp-agent/scripts/check_prerequisites.sh)`) executes arbitrary code fetched from a remote URL, posing a significant supply chain risk and potential for Remote Code Execution (RCE) if the remote script is compromised. While the Python script `scripts/find_arb_opps.py` itself appears to perform its stated function of finding arbitrage opportunities by interacting with a local Hummingbot API and does not show signs of intentional malice or data exfiltration, the `curl | bash` instruction is a critical vulnerability.

能力评估

ℹ Purpose & Capability

The code and SKILL.md match the stated purpose: they query a Hummingbot API for connectors, trading pairs, and prices to surface cross-exchange spreads. However the registry metadata declared no required environment variables/credentials while the SKILL.md and script rely on HUMMINGBOT_API_URL, API_USER, API_PASS and expect exchange API keys configured in Hummingbot. That metadata omission is an inconsistency.

⚠ Instruction Scope

SKILL.md instructs you to run a remote script via `bash <(curl -s https://raw.githubusercontent.com/...)` (executes code fetched from the network). The included Python script also reads local .env files (./hummingbot-api/.env, ~/.hummingbot/.env, .env) to load credentials. While reading those .env files is consistent with needing Hummingbot API credentials, instructing remote script execution and reading arbitrary .env locations expand the scope and risk.

⚠ Install Mechanism

There is no declared install spec (instruction-only), but SKILL.md explicitly tells users to execute a fetched script from raw.githubusercontent.com. Executing code directly from the network is higher risk and should be audited before running. The skill itself (the Python file) has no build/install steps.

⚠ Credentials

The registry claims no required env vars, but both SKILL.md and scripts use HUMMINGBOT_API_URL, API_USER, API_PASS and expect exchange connector API keys configured in Hummingbot. The script will load local .env files (which can contain unrelated secrets). Defaults to admin/admin are insecure. Required secrets are proportionate to the task, but the metadata mismatch and automatic .env loading are concerning.

✓ Persistence & Privilege

The skill does not request persistent presence (always:false) and does not modify other skills or system-wide config. It only runs as a script/command and uses the Hummingbot API. No elevated platform privileges requested.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install find-arbitrage-opps
安装完成后，直接呼叫该 Skill 的名称或使用 /find-arbitrage-opps 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial public release of the find-arbitrage-opps skill. - Find arbitrage opportunities by comparing fungible token pairs (e.g., BTC/WBTC, USDT/USDC) across all Hummingbot-connected exchanges. - Supports filtering by specific exchanges, setting minimum spread, and JSON output. - Outputs best bid/ask prices and recommended arbitrage trades. - Requires Hummingbot API and configured exchange connectors.

元数据

Slug find-arbitrage-opps

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题