ClawHub

Alpaca Markets CLI

v1.0.1

This skill provides integration with the Alpaca Markets API for trading stocks, options, and cryptocurrencies. Use it when you need to interact with Alpaca's...

0· 409·0 current·0 all-time
by@oscraters
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Alpaca Markets integration) match the required environment variables (ALPACA_API_KEY, ALPACA_API_SECRET), the included helper script (alpaca_api.py) which sends HTTP requests to Alpaca endpoints, and the example usage. No unrelated credentials or tools are requested.
Instruction Scope
SKILL.md and the scripts restrict activity to Alpaca API endpoints and advise using paper trading credentials and isolated environments. One small caveat: the code uses ALPACA_BASE_URL (optional) as the request base; if a user sets this to an attacker-controlled URL, the script would send credentials and requests there. This is a configurable risk (declared in frontmatter) rather than hidden behavior.
Install Mechanism
No install spec; the skill ships as source files (Python scripts) and a requirements.txt (requests). There are no downloads or installers that fetch arbitrary remote code at install time. This is low-risk for supply-chain surprises.
Credentials
Only ALPACA_API_KEY and ALPACA_API_SECRET are required (ALPACA_BASE_URL optional). These are exactly the credentials needed to call Alpaca's API; their presence is proportionate to the skill's trading purpose and are declared in metadata/frontmatter.
Persistence & Privilege
always is false; the skill does not request persistent/privileged presence or modify other skills. Model invocation is allowed (default) but that is normal and not combined with other red flags.
Assessment
This skill appears to do what it says: a small set of Python helpers to call Alpaca's REST API. Before installing or running: (1) prefer paper-trading credentials and never use live keys until you audit and test; (2) review alpaca_api.py yourself (it’s included) to confirm behaviors you expect; (3) do not set ALPACA_BASE_URL to a URL you don't control or trust (an attacker-controlled base URL would receive your API key/secret); (4) consider running the scripts in an isolated container or VM and restrict network egress if you want extra protection; (5) check network activity and logs when first running to ensure requests go to Alpaca endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aff0cn1dyhk1dsjsagk5gx9821dtq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvALPACA_API_KEY, ALPACA_API_SECRET

Comments