Alpaca Trading
Trade stocks, ETFs, options, and crypto via Alpaca's REST API using curl. Full options support (buy/sell calls & puts, covered calls, cash-secured puts, spre...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 2 · 1.7k · 15 current installs · 15 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md, README, references, and scripts/alpaca.sh consistently implement an Alpaca REST API wrapper for trading and market data. The requested capabilities (orders, positions, market data, options) match the stated purpose.
Instruction Scope
The runtime instructions are narrowly scoped to calling Alpaca endpoints via the included scripts/alpaca.sh wrapper and to sourcing the script from the skill directory. The script requires APCA_API_KEY_ID and APCA_API_SECRET_KEY and uses them only in HTTP headers to call Alpaca endpoints (expected for a trading integration). There are no instructions to read unrelated system files or exfiltrate data to third-party endpoints.
Install Mechanism
No install spec; the skill is instruction-only plus a small shell script included in the bundle. No downloads or archive extraction are present. This is low risk from installation mechanics.
Credentials
The SKILL.md and scripts require Alpaca API keys (APCA_API_KEY_ID and APCA_API_SECRET_KEY) and expect curl and optionally jq/python. However the registry metadata lists 'required env vars: none' and 'required binaries: none' — this mismatch is suspicious. Requesting Alpaca API keys is proportionate for trading functionality, but the developer registry should have declared these credentials. Additionally the skill can place live trades if APCA_API_BASE_URL is set to the live endpoint; the manifest notes paper by default but source is unknown. Use of full trading credentials carries high risk if the skill is untrusted.
Persistence & Privilege
always:false and default autonomous invocation settings are normal. The skill does not request system-wide configuration or modify other skills. However autonomous invocation combined with trading credentials means the agent could place orders without additional manual steps if not properly gated by the platform — consider limiting invocation or using only paper keys.
What to consider before installing
This skill is functionally coherent: it contains a small shell wrapper that uses your Alpaca API key and secret to call Alpaca endpoints. However the registry metadata incorrectly omits the required environment variables and required binaries (curl/jq), and the source/homepage is not clearly provided — both are red flags you should consider before installing. If you decide to proceed:
- Only provide paper/trading-sandbox API keys (not your live production keys) until you trust the author. Rotate keys afterward.
- Confirm how your agent is allowed to invoke skills (disable autonomous invocation or require explicit user confirmation for order-placement flows if possible).
- Verify the skill's source (the README references a GitHub repo; review that repository to confirm authorship and check for tampering).
- Ensure you understand that the included script will send your API keys in request headers to Alpaca endpoints (expected) and that granting those keys grants the skill the ability to place/cancel orders and access account data.
If you need higher assurance, request the maintainer add the env vars and required binaries to the registry metadata and provide a verifiable homepage/source before using live funds.Like a lobster shell, security has layers — review code before you run it.
Current versionv2.1.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Alpaca Trading Skill
Trade and manage portfolios via Alpaca's REST API using scripts/alpaca.sh.
Setup
Required env vars
| Variable | Purpose |
|---|---|
APCA_API_KEY_ID | Alpaca API key |
APCA_API_SECRET_KEY | Alpaca API secret |
Optional env vars
| Variable | Default | Purpose |
|---|---|---|
APCA_API_BASE_URL | https://paper-api.alpaca.markets | Trading endpoint. Set to https://api.alpaca.markets for live |
APCA_DATA_API_BASE_URL | https://data.alpaca.markets | Market data endpoint |
Paper trading is the default. Always confirm with the user before switching to live.
Helper script
Source scripts/alpaca.sh from this skill directory. Usage:
alpaca METHOD PATH [JSON_BODY]
# Market data:
ALPACA_DATA=1 alpaca METHOD PATH
Quick Reference
Account & portfolio
alpaca GET /v2/account # balance, equity, buying power
alpaca GET /v2/account/configurations # trading config
alpaca GET '/v2/account/portfolio/history?period=1M&timeframe=1D' # portfolio chart
alpaca GET '/v2/account/activities?activity_types=FILL,DIV' # trade/dividend history
alpaca GET /v2/clock # market open/closed
alpaca GET '/v2/calendar?start=2026-03-01&end=2026-03-31' # trading days
Orders — Equities & Crypto
# Market buy (by qty or dollar amount)
alpaca POST /v2/orders '{"symbol":"AAPL","qty":"10","side":"buy","type":"market","time_in_force":"day"}'
alpaca POST /v2/orders '{"symbol":"AAPL","notional":"1000","side":"buy","type":"market","time_in_force":"day"}'
# Crypto (24/7)
alpaca POST /v2/orders '{"symbol":"BTC/USD","qty":"0.001","side":"buy","type":"market","time_in_force":"gtc"}'
# Limit / stop / stop-limit / trailing stop / bracket / OTO / OCO — see references/api.md
# List / get / replace / cancel
alpaca GET /v2/orders
alpaca GET /v2/orders/ORDER_ID
alpaca PATCH /v2/orders/ORDER_ID '{"qty":"20","limit_price":"190.00"}'
alpaca DELETE /v2/orders/ORDER_ID
alpaca DELETE /v2/orders # cancel ALL
Orders — Options
# Buy call (Level 2+)
alpaca POST /v2/orders '{"symbol":"AAPL260418C00260000","qty":"1","side":"buy","type":"market","time_in_force":"day"}'
# Sell covered call (Level 1+, must own 100 shares per contract)
alpaca POST /v2/orders '{"symbol":"AAPL260418C00270000","qty":"1","side":"sell","type":"limit","limit_price":"2.00","time_in_force":"day"}'
# Buy/sell puts, cash-secured puts, spreads (Level 3) — see references/api.md
# Exercise option
alpaca POST /v2/positions/AAPL260418C00260000/exercise
# Look up contracts
alpaca GET '/v2/options/contracts?underlying_symbols=AAPL&expiration_date_gte=2026-04-01&type=call&limit=10'
alpaca GET /v2/options/contracts/AAPL260418C00260000
Positions
alpaca GET /v2/positions # all open
alpaca GET '/v2/positions?asset_class=us_option' # options only
alpaca GET /v2/positions/AAPL # single equity
alpaca GET /v2/positions/NVDA260417C00220000 # single option
alpaca DELETE /v2/positions/AAPL # close
alpaca DELETE '/v2/positions/AAPL?qty=5' # close partial
alpaca DELETE '/v2/positions?cancel_orders=true' # close ALL
Market data — Stocks
ALPACA_DATA=1 alpaca GET /v2/stocks/AAPL/snapshot # quote + trade + bar
ALPACA_DATA=1 alpaca GET '/v2/stocks/snapshots?symbols=AAPL,MSFT,GOOGL' # multi-snapshot
ALPACA_DATA=1 alpaca GET '/v2/stocks/AAPL/bars?timeframe=1Day&start=2026-03-01&limit=30'
ALPACA_DATA=1 alpaca GET /v1beta1/screener/stocks/most-actives
ALPACA_DATA=1 alpaca GET '/v1beta1/screener/stocks/movers?top=10'
ALPACA_DATA=1 alpaca GET '/v1beta1/news?symbols=AAPL&limit=5'
Market data — Options
ALPACA_DATA=1 alpaca GET '/v1beta1/options/snapshots/AAPL?feed=indicative&limit=10' # option chain
ALPACA_DATA=1 alpaca GET '/v1beta1/options/bars?symbols=NVDA260417C00220000&timeframe=1Day&limit=10'
ALPACA_DATA=1 alpaca GET '/v1beta1/options/quotes/latest?symbols=NVDA260417C00220000'
ALPACA_DATA=1 alpaca GET '/v1beta1/options/trades/latest?symbols=NVDA260417C00220000'
# feed: indicative (free/delayed) or opra (subscription required)
Market data — Crypto
ALPACA_DATA=1 alpaca GET '/v1beta3/crypto/us/latest/quotes?symbols=BTC/USD'
ALPACA_DATA=1 alpaca GET '/v1beta3/crypto/us/bars?symbols=BTC/USD&timeframe=1Day&limit=30'
ALPACA_DATA=1 alpaca GET '/v1beta3/crypto/us/snapshots?symbols=BTC/USD,ETH/USD'
Corporate Actions
ALPACA_DATA=1 alpaca GET '/v1/corporate-actions?symbols=AAPL&types=cash_dividend'
# Types: forward_split, reverse_split, cash_dividend, stock_dividend, spin_off, etc.
Assets & Watchlists
alpaca GET /v2/assets/AAPL # asset info
alpaca GET '/v2/assets?status=active&attributes=has_options' # options-enabled stocks
alpaca GET /v2/watchlists # list watchlists
alpaca POST /v2/watchlists '{"name":"Tech","symbols":["AAPL","MSFT","GOOGL"]}'
Full API reference
Read references/api.md for complete endpoint documentation including:
- All order types (limit, stop, stop-limit, trailing stop, bracket, OCO, OTO)
- Order field reference (side, type, time_in_force, order_class)
- Watchlist CRUD
- Options contracts
- Historical bars/trades/quotes with all query params
- Crypto endpoints
- Market calendar
Safety Rules
- Default to paper trading. Never set
APCA_API_BASE_URLto live without explicit user confirmation. - Show the order JSON before submitting. Let the user confirm symbol, qty, side, and type.
- Check market clock before placing orders — stocks only trade during market hours (9:30-16:00 ET) unless
extended_hours: trueon limit orders. - Verify buying power via
GET /v2/accountbefore large orders. - Never provide financial advice. Present data; let the user decide.
- Warn about irreversible actions — closing all positions, canceling all orders.
Troubleshooting
| Symptom | Fix |
|---|---|
HTTP 401 | Check APCA_API_KEY_ID / APCA_API_SECRET_KEY are set and valid |
HTTP 403 | Paper keys on live URL or vice versa; check APCA_API_BASE_URL |
HTTP 422 (insufficient qty) | Check buying power, fractional support, or symbol validity |
HTTP 429 | Rate limited — wait and retry; Alpaca allows 200 req/min |
| Order rejected outside hours | Add "extended_hours":true (limit orders only) or wait for market open |
jq: command not found | Script falls back to python3 -m json.tool; install jq for better output |
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…