Agent Lightning
v1.0.0Microsoft Research's agent training framework. Optimizes AI agents with Reinforcement Learning, Automatic Prompt Optimization, and Supervised Fine-tuning. Ze...
⭐ 0· 615·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included examples and instructions (training agents via RL/APO/SFT). Example code and config are appropriate for that purpose. Minor metadata inconsistencies (ownerId in _meta.json vs registry owner id) are present but don't by themselves indicate malicious intent.
Instruction Scope
SKILL.md instructs typical operations for an agent-training library (instrumenting agents, running training/eval/serve, tailing logs). It explicitly references environment variables (OPENAI_API_KEY, optional AGL_STORAGE) and paths (~/.agent-lightning/logs) — these are reasonable for training but are not reflected in declared requirements. Instructions do not ask for unrelated files or system-wide secrets, but they do rely on external services (OpenAI, optional S3) and a dashboard.
Install Mechanism
This is instruction-only (no install spec). SKILL.md directs users to pip install agentlightning and offers a nightly install via test.pypi. Using a test.pypi index or pre-release packages is higher risk than stable PyPI releases because those packages are less vetted; there's no included package code to inspect beyond examples.
Credentials
The registry metadata declares no required env vars, but SKILL.md requires OPENAI_API_KEY and optionally uses an S3 storage URL (AGL_STORAGE). S3 usage implies additional cloud credentials (AWS) which are not mentioned. The mismatch between declared requirements and actual instructions is disproportionate and could lead to inadvertently granting cloud/secret access when following examples.
Persistence & Privilege
always:false and no install spec means the skill does not request forced persistent presence. The examples reference creating logs and checkpoints under user paths (./checkpoints, ~/.agent-lightning) which are expected for training. There is no attempt to modify other skills or system-wide agent settings in the provided files.
What to consider before installing
This package appears to be a legitimate agent-training framework, but be aware of these points before installing or running it:
- The SKILL.md expects an OPENAI_API_KEY and optionally an S3 storage URL (AGL_STORAGE), but the registry metadata lists no required environment variables. Treat this as a mismatch: you will need to provide credentials if you follow the examples.
- If you plan to use AGL_STORAGE with an s3:// URL, that will typically require AWS credentials (access key/secret or an IAM role). Do not reuse high-privilege credentials; prefer a least-privilege IAM user or a sandboxed storage bucket.
- The docs suggest installing nightly/pre-release builds from test.pypi. Prefer the official PyPI release (or inspect the package source code) rather than pre-release indexes when possible.
- Verify the package source: confirm the GitHub repo and homepage links match the package you install, and review the package contents (or run in an isolated environment/container) before giving it secrets.
- If you need assurance, ask the publisher for a reproducible release (hashes) or inspect the published agentlightning package contents before running training that will upload checkpoints or logs.
Given the metadata/instruction mismatches, proceed with caution (use isolated environments and least-privilege credentials). Additional information that would raise my confidence to 'high': a declared requires.env that matches SKILL.md, a canonical PyPI release URL and package checksum, or the upstream repository/package code included for review.Like a lobster shell, security has layers — review code before you run it.
latestvk97csgd0rtvc3et03c81hzxa6d81bm89
License
MIT-0
Free to use, modify, and redistribute. No attribution required.