Alpaca Markets CLI
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a transparent Alpaca trading helper, but it exposes broad live-trading and bulk account-changing actions that should be reviewed before use with real funds.
Install only if you intend to let the agent interact with Alpaca. Start with paper trading credentials, do not set ALPACA_BASE_URL to the live API until you have reviewed the workflow, and require manual confirmation for any order placement, order cancellation, or position-closing action.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user invokes this with live credentials, a mistaken or overly broad request could alter real orders or positions and cause financial loss.
The script exposes a raw Alpaca API caller with mutation and delete methods rather than narrowly scoped, confirmation-gated trading actions. In this brokerage context, that can place, replace, cancel, or close financial positions.
parser.add_argument("method", help="HTTP method: GET, POST, PATCH, PUT, DELETE") ... parser.add_argument("endpoint", help="Endpoint path such as /v2/account") ... allowed_methods = {"GET", "POST", "PUT", "PATCH", "DELETE"}Use paper trading credentials first. Require explicit user confirmation for POST, PATCH, PUT, DELETE, and especially bulk cancel/close actions; consider restricting allowed endpoints and validating order sizes before live use.
Providing live Alpaca credentials gives the skill authority over real account data and trading operations.
The skill clearly discloses that it needs Alpaca API credentials and gives paper-trading safety guidance. This is expected for the stated purpose, but the credentials can authorize sensitive brokerage actions.
Set environment variables: - `ALPACA_API_KEY` - `ALPACA_API_SECRET` - `ALPACA_BASE_URL` (optional; defaults to paper trading URL) ### Security / Credential Use - Use paper trading credentials by default. - Do not use live trading credentials until you have audited the code path you plan to run.
Prefer paper credentials, keep live credentials separate, only set the live base URL intentionally, and rotate credentials if you suspect they were used with an untrusted environment.