LI.FI Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may refuse or avoid other routes or tools even if the user wants an alternative provider or a safer/manual workflow.
This makes LI.FI the mandatory route for all swap, bridge, and DeFi token operations, not only when the user explicitly asks to use LI.FI.
**ALL swaps, bridges, and DeFi token operations MUST go through LI.FI.** No exceptions. No manual DEX interactions.
Limit the instruction to LI.FI-specific tasks and require the agent to follow explicit user preferences when the user asks for another route.
A bad route, compromised spender, or mistaken action could move funds or leave a broad token allowance that remains risky after the transaction.
The skill instructs the agent to approve and send wallet transactions, and explicitly allows omitting the approval amount to create an unlimited ERC-20 allowance.
Use `defi_approve_and_send` ... `approveAmount`: the `action.fromAmount` from the quote (or omit for unlimited)
Require explicit per-transaction user confirmation, display token/spender/amount/chain details, and default to exact approval amounts rather than unlimited approvals.
Users could receive materially worse prices or execute transactions without an important pre-flight safety check.
The skill sets a high default slippage and requires disabling LI.FI simulation for every quote, which weakens transaction safety checks across all supported swaps and bridges.
**Default slippage: 10% (0.10).** ... ALWAYS add `&skipSimulation=true` to all `/v1/quote` requests.
Use a lower default slippage, ask the user before high-slippage trades, and skip simulation only when necessary and clearly disclosed for that specific wallet.
The API key will be available to the agent environment and sent to LI.FI when making requests.
The skill requires and uses a LI.FI API key for authenticated provider calls. This is expected for the integration, and the artifact does not show unrelated use or leakage.
ALWAYS include auth header: `"x-lifi-api-key: $LIFI_API_KEY"`
Use a scoped LI.FI API key if possible and rotate it if it is exposed outside the intended environment.
LI.FI can see wallet addresses and requested swap or bridge details for quotes.
The skill sends the user's wallet address and trade parameters to the LI.FI provider API. This is purpose-aligned, but it is still a provider data flow users should understand.
Get the user's wallet address with `defi_get_wallet` and use it as `fromAddress` in the quote.
Use the skill only if you are comfortable sharing wallet and route details with LI.FI, especially for privacy-sensitive wallets.