Lighter
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user running the script with parameters could place a real mainnet trade and change account funds without a separate confirmation step.
The order script directly submits a live Lighter order from command-line parameters. It does not implement a confirm=true flag, final approval prompt, dry-run default, or slippage/loss guard for this high-impact financial action.
result = await signer.create_order(...)
...
parser.add_argument("--amount", type=float, required=True, help="Order amount")
...
asyncio.run(place_order(args.market_id, args.side, args.amount, args.price, args.order_type))Require an explicit confirmation flag and show a final order summary before signing or submitting; default to read-only or dry-run behavior unless the user clearly approves the exact trade.
A missing or misconfigured account index could cause trades or account actions on an unintended subaccount, potentially the user's main account.
The script uses the provided key as a private signing key and silently falls back to account index 0 if LIGHTER_ACCOUNT_INDEX is missing, even though SKILL.md describes the account index as required for orders.
LIGHTER_ACCOUNT_INDEX = int(os.environ.get("LIGHTER_ACCOUNT_INDEX", "0"))
...
signer = lighter.SignerClient(
url=API_URL,
account_index=LIGHTER_ACCOUNT_INDEX,
api_private_keys={3: LIGHTER_API_KEY}
)Fail closed when LIGHTER_ACCOUNT_INDEX is absent, clearly label the key as a trading/signing private key, and require users to confirm the target account before live trades.
Installing or updating the external SDK could change the code that handles signing keys and order submission.
The trading path depends on external Python packages with lower-bound rather than pinned versions, and the trading SDK is optional/manual rather than captured by an install spec. This is disclosed and purpose-aligned, but users should verify the package source.
requests>=2.31.0 # Optional: lighter-sdk>=1.0.3 eth-account>=0.12.0 # Only install if you need order placement capabilities
Review the official SDK, pin exact package versions, and use a dedicated burner wallet or limited trading key before enabling order placement.