Skills
skills/sendaifun/skills/lulo/Gen Agent Trust Hub

lulo

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (LOW): The skill communicates with https://api.lulo.fi to generate transaction data.
  • Evidence: Functions generateDepositTransaction and generateWithdrawTransaction fetch base64-encoded transactions from a remote endpoint.
  • Risk: If the remote API were compromised, it could return malicious transactions (e.g., unauthorized transfers) that the skill would then sign.
  • COMMAND_EXECUTION (LOW): The skill uses the @solana/web3.js library to sign and broadcast transactions to the Solana mainnet.
  • Evidence: transaction.sign([wallet]) followed by connection.sendTransaction(transaction) in both deposit.ts and withdraw.ts.
  • Risk: This is 'blind signing' of remotely generated content. While standard for many DeFi agents, it lacks local validation of the transaction instructions before signing.
  • CREDENTIALS_UNSAFE (SAFE): API keys and wallet secrets are accessed via process.env.LULO_API_KEY and process.env.WALLET_SECRET_KEY.
  • Evidence: No hardcoded secrets were found in the analyzed files. The use of environment variables is consistent with security best practices for agent configuration.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:18 PM