Agent Lightning
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent agent-training skill, with expected but important notes around package installation, provider credentials, and persistent training traces/checkpoints.
Before installing, verify you trust the upstream package source, prefer the stable pinned package over nightly builds, use scoped API keys, and keep sensitive data out of traces, logs, checkpoints, and any optional cloud storage.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package gives that dependency a role in the user’s local Python environment; pre-release builds may be less stable or less reviewed.
The skill relies on installing an external package, including an optional pre-release/TestPyPI path. This is disclosed and aligned with the framework purpose, but it introduces normal package supply-chain risk.
pip install agentlightning ... pip install --upgrade --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ --pre agentlightning
Use the stable PyPI package where possible, pin versions for reproducibility, and only use the TestPyPI/pre-release command if you intentionally want nightly builds.
The framework may use the user’s provider account and may incur API costs; optional remote storage can place training artifacts in a cloud bucket.
The skill documents use of a model-provider API key and optional cloud storage. These are expected for training workflows, and the artifacts do not show hardcoded credentials or credential exfiltration.
export OPENAI_API_KEY="sk-..." # Optional: for remote storage export AGL_STORAGE="s3://my-bucket/agent-lightning/"
Use least-privilege/project-specific API keys, monitor usage costs, and configure any storage bucket with appropriate access controls.
Sensitive information included in training traces or logs could persist and influence later trained prompts or agent behavior.
The training workflow stores and reuses traces/tasks/resources to update prompts. This is core to agent optimization, but those traces may contain prompts, messages, task data, or sensitive context.
LightningStore keeps tasks, resources, and traces in sync # Read traces, learn, and update prompts
Avoid including secrets or private data in traces, review log and checkpoint locations, and set retention/access controls before using remote storage.