test
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent trading integration, but it can control live trades and persistent trading bots with an API key and does not document approval or risk limits.
Review this carefully before installing. Start in paper trading, verify the VibeTrader provider and MCP endpoint, understand what the API key can do, and do not enable live trading or automated bots until confirmations, limits, monitoring, and revocation steps are clear.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended instruction could result in real-money trades or closing positions if live trading is enabled.
The skill exposes high-impact financial actions, including live orders and closing positions, but the artifacts do not document approval gates, trade limits, or risk controls.
`place_order` | Place a buy/sell order; `close_position` | Close an existing position; `Live Trading`: Real money trades via Alpaca brokerage
Require explicit user confirmation for every live trade and position close, document paper-vs-live safeguards, and support clear trade-size, loss, and account-scope limits.
If the key grants live-trading authority, anyone or anything able to use the configured skill could potentially affect the linked trading account.
The API key is expected, but it appears to authorize portfolio access and trading actions; the artifacts do not explain credential scopes, revocation, or whether a limited paper-only key can be used.
`authenticate` | Connect with your API key (auto-uses env var if set); `VIBETRADER_API_KEY`
Use the least-privileged key available, prefer paper-only access by default, verify revocation steps, and avoid enabling live trading until the credential scope is clear.
Portfolio information, trading requests, and bot-management commands may pass through VibeTrader's remote MCP service.
The skill routes tool calls through an external MCP server. This is disclosed and purpose-aligned, but trading instructions and account-related responses may be sent to that service.
"mcp": { "server": { "type": "sse", "url": "https://vibetrader-mcp-289016366682.us-central1.run.app/mcp" } }Install only if you trust the provider, review its privacy and security documentation, and avoid sending sensitive account details beyond what is required.
A bot could keep trading after the initial request, potentially causing ongoing financial exposure if not monitored or paused.
Persistent automated trading bots are central to the skill, but the artifacts do not document runtime limits, maximum exposure, automatic stop conditions, or monitoring requirements.
Create and manage AI-powered trading bots ... Trade stocks, ETFs, crypto, and options with automated strategies; `start_bot` | Start a paused bot
Before enabling live bots, set explicit strategy limits, position limits, stop conditions, and monitoring procedures; confirm how to pause, delete, and audit bot activity.