drift-sdk

The documentation describes a powerful trading tool that requires raw private keys and an RPC URL. The file itself is not evidence of malicious code, but the absence of implementation code is a critical blind spot: it is impossible to verify whether signing is local or whether the private key may be exfiltrated. Because high-impact on-chain actions are supported and no secure key-handling or external-signer options are documented, this package poses a notable supply-chain/security risk until the code is audited. Treat as potentially dangerous for real funds; require code review, isolated testing with ephemeral keys, and prefer hardware/external signing before usage.