Alpaca Trading
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alpaca Version: 1.0.0 The OpenClaw Alpaca skill is benign. It is designed to interact with the Alpaca API for trading and market data, which is its stated purpose. The `SKILL.md` provides clear instructions and emphasizes safety with 'Order Guardrails' and 'Safety Notes' for the AI agent, showing no signs of prompt injection. The `alpaca_cli.py` script securely loads credentials from environment variables or `~/.openclaw/credentials/alpaca.json`, stores alerts in `~/.openclaw/data/alpaca-alerts.json`, and implements robust input validation and user confirmation steps before executing sensitive actions like placing orders. There is no evidence of data exfiltration, malicious execution, persistence, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad command could submit or cancel real market orders.
The documented tool can place and cancel trades, including a force mode that bypasses confirmations; this is expected for a trading skill but can affect real money if used incorrectly.
python3 scripts/alpaca_cli.py order buy AAPL 10 ... python3 scripts/alpaca_cli.py cancel all # Cancel all open orders ... Use `--force` to skip all confirmation prompts
Use paper trading by default, require explicit per-order approval for live trading, and avoid --force or cancel-all unless the user specifically requests it.
Anyone or any agent process with access to these keys may be able to view the account and trade according to the key permissions.
The skill requires Alpaca credentials that can access account data and, when configured for live trading, authorize real trades; this is purpose-aligned but sensitive.
Requires API credentials stored in environment or config: export ALPACA_API_KEY="your-api-key" ... export ALPACA_SECRET_KEY="your-secret-key" ... ALPACA_PAPER="true" # "true" for paper, "false" for live
Use paper or least-privilege keys where possible, store keys securely, and remove live credentials when not needed.
Installing an unexpected or tampered package could affect the local environment that handles trading credentials.
The script depends on an external Python package, but the artifact set has no install spec or pinned dependency; this is normal for the integration but leaves package provenance to the user.
print("Run: pip install alpaca-py")Install alpaca-py from the official package index or a trusted environment, and consider pinning a reviewed version before using live credentials.