VibeTrader
WarnAudited by ClawScan on May 10, 2026.
Overview
VibeTrader is a coherent trading integration, but it can place live financial trades and run persistent trading bots through a remote service without documented confirmation or risk limits.
Use this skill cautiously. Start in paper trading, do not enable live trading unless you understand the provider and brokerage permissions, require explicit confirmations for any live order, set broker-side limits, and monitor or stop bots regularly.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, ambiguous, or over-broad instruction could result in real-money trades or closed positions.
The skill exposes high-impact live trading actions, including buying, selling, and closing positions. The provided artifacts do not document confirmation gates, trade-size limits, or approval requirements before these actions are taken.
`place_order` | Place a buy/sell order ... `close_position` | Close an existing position ... **Live Trading**: Real money trades via Alpaca brokerage
Use paper trading by default, require explicit confirmation for every live order or close-position action, and set broker-side account limits before enabling live trading.
A bot could keep trading after the initial conversation and potentially cause financial loss if not monitored or stopped.
The core workflow creates and starts automated trading bots, including live-trading bots. This persistence is disclosed and purpose-aligned, but the artifacts do not specify runtime limits, expiration, max-loss controls, or other containment for bots that continue acting after creation.
Create and manage AI-powered trading bots ... `create_bot` ... `start_bot` ... `pause_bot` ... `delete_bot`
Create bots only with explicit scope, duration, position size, stop-loss, and max-loss limits; verify there is a reliable kill switch before using live mode.
Anyone with access to the key may be able to view portfolio data or perform trading actions permitted by the VibeTrader account.
The API key is expected for this service, but it authenticates financial account and trading operations, so it is a sensitive credential even though no leakage is shown in the artifacts.
`VIBETRADER_API_KEY`: `vt_your_api_key_here` ... `Authorization: Bearer YOUR_API_KEY`
Store the key securely, prefer least-privilege or paper-only keys if available, restrict file permissions on configuration files, and rotate the key if exposed.
Portfolio details and trading commands may be sent to the VibeTrader MCP service for processing.
The skill connects the agent to a remote MCP server. This is disclosed and purpose-aligned, but financial data, trading instructions, and authenticated tool calls cross a remote service boundary.
"mcp": { "server": { "type": "sse", "url": "https://vibetrader-mcp-289016366682.us-central1.run.app/mcp" } }Review the provider’s privacy, security, and brokerage-authorization terms before connecting live accounts or sending sensitive portfolio data.
Users must trust the remote provider’s implementation rather than locally reviewable skill code.
There is no local code to inspect; the actionable behavior is implemented by the remote service. This is not inherently unsafe, but it limits reviewability for a high-impact trading integration.
Source: unknown ... No code files present — this is an instruction-only skill.
Install only from a source you trust, verify the provider identity, and treat live trading access as a high-value permission.