ClawHub

Lighter

v2.0.1

Interact with Lighter protocol - a ZK rollup orderbook DEX. Use when you need to trade on Lighter, check prices, manage positions, or query account data.

1· 629·2 current·2 all-time
by@aviclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Lighter DEX client) aligns with the included scripts (market queries, account, positions, order placement). However, the registry metadata states 'required env vars: none' while SKILL.md and the scripts require LIGHTER_API_KEY and LIGHTER_ACCOUNT_INDEX; this mismatch should be resolved.
Instruction Scope
SKILL.md and USAGE.md limit actions to the Lighter API and optional official SDK signing. The instructions are explicit about which endpoints are used and warn about reviewing external SDK code and using burner wallets. No instructions request unrelated system files or unrelated credentials.
Install Mechanism
There is no install spec (instruction-only), which reduces install-time risk. The package includes scripts and a requirements.txt that lists requests and comments the lighter-sdk as optional — but scripts/order.py imports 'lighter' (the SDK) and will fail if the SDK isn't installed. The skill correctly warns to review the external SDK on GitHub before installing it.
Credentials
The only secrets the skill uses are LIGHTER_API_KEY and LIGHTER_ACCOUNT_INDEX (plus optional LIGHTER_L1_ADDRESS), which are proportionate to trading/account queries. The inconsistency is that the registry metadata listed no required env vars while SKILL.md and the scripts require them. USAGE.md suggests storing keys in ~/.openclaw/secrets.env — a convenience but not enforced by the code; consider secure storage advice.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always:false) and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not excessive by itself.
Assessment
This skill appears to be a straightforward Lighter protocol client. Before installing or using it with real funds: 1) Verify the SDK repository (https://github.com/elliottech/lighter-python) and confirm the package you install matches that repo; 2) Use a burner/dedicated trading key or account (do not use your main wallet); 3) Confirm what the Lighter API key actually is/permits (API key vs private signing key) and never paste private keys into public places; 4) Note the metadata inconsistency: the skill's manifest omitted required env vars even though SKILL.md and the scripts require LIGHTER_API_KEY and LIGHTER_ACCOUNT_INDEX — make sure you only provide those secrets to this skill if you trust it; 5) If you only need read-only data, avoid installing the SDK and only run the read-only scripts that use requests.

Like a lobster shell, security has layers — review code before you run it.

defivk97e73j5znypbhnnqcs4w2kc8x81enz7dexvk97e73j5znypbhnnqcs4w2kc8x81enz7latestvk977fbeq3y3dpp9t819rwq9qs981zs42pythonvk9740q9ann9hkcqwjmp3znscj981ewqqtradingvk97e73j5znypbhnnqcs4w2kc8x81enz7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments