Is aviclaw/lighter safe?

https://github.com/openclaw/skills/tree/main/skills/aviclaw/lighter

94
SAFE

The Lighter Protocol skill is a legitimate trading interface for a zero-knowledge rollup DEX. It includes appropriate security warnings, transparent functionality, and follows secure coding practices. The main considerations are the inherent risks of trading functionality and external SDK dependency, both of which are properly documented.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

LOW External SDK Dependency -10

The skill imports and uses the 'lighter' SDK from an external repository for order placement functionality. While documented and necessary for the stated purpose, external dependencies pose potential supply chain risks.

LOW API Credential Usage -5

The skill accesses environment variables containing API keys and account information (LIGHTER_API_KEY, LIGHTER_ACCOUNT_INDEX). This is necessary for authenticated trading operations but represents sensitive data handling.

INFO Financial Trading Functionality -15

This skill provides direct trading capabilities on a DEX which carries inherent financial risk. Users should understand they are granting the agent ability to execute trades with their API credentials.