Alpaca Trading
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad command could submit or cancel real market orders.
The documented tool can place and cancel trades, including a force mode that bypasses confirmations; this is expected for a trading skill but can affect real money if used incorrectly.
python3 scripts/alpaca_cli.py order buy AAPL 10 ... python3 scripts/alpaca_cli.py cancel all # Cancel all open orders ... Use `--force` to skip all confirmation prompts
Use paper trading by default, require explicit per-order approval for live trading, and avoid --force or cancel-all unless the user specifically requests it.
Anyone or any agent process with access to these keys may be able to view the account and trade according to the key permissions.
The skill requires Alpaca credentials that can access account data and, when configured for live trading, authorize real trades; this is purpose-aligned but sensitive.
Requires API credentials stored in environment or config: export ALPACA_API_KEY="your-api-key" ... export ALPACA_SECRET_KEY="your-secret-key" ... ALPACA_PAPER="true" # "true" for paper, "false" for live
Use paper or least-privilege keys where possible, store keys securely, and remove live credentials when not needed.
Installing an unexpected or tampered package could affect the local environment that handles trading credentials.
The script depends on an external Python package, but the artifact set has no install spec or pinned dependency; this is normal for the integration but leaves package provenance to the user.
print("Run: pip install alpaca-py")Install alpaca-py from the official package index or a trusted environment, and consider pinning a reviewed version before using live credentials.