Back to skill

Security audit

Alpaca Trading

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Alpaca trading skill, but it needs review because it can affect live brokerage accounts and some destructive actions lack strong confirmation safeguards.

Install only if you intentionally want an agent to use your Alpaca account. Prefer paper trading first, keep live API keys tightly controlled, require explicit approval before any live order or cancellation, and avoid --force or cancel all unless you deliberately intend that exact account action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes sensitive capabilities including environment-variable access, filesystem writes, and network use, but does not declare permissions. That creates a transparency and governance gap: users or orchestrators may invoke a skill capable of reading credentials, placing trades, and persisting data without an explicit permission boundary. In a financial-trading context, undeclared capabilities are more dangerous because they can affect both secrets and real money.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill description understates and misstates behavior: it omits local persistence, websocket streaming, and watchlist/alert management, while also claiming crypto support that may not exist. This can cause unsafe invocation under false assumptions, especially where users believe they are only retrieving market data but the skill also manages state and can operate in live-trading workflows. In financial tools, behavior-description mismatch materially increases operational and security risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger guidance is broad enough to activate the trading skill for ordinary questions like stock prices or portfolio discussion, even when the user did not intend to authorize a trading-capable tool. Over-broad routing is especially dangerous here because the same skill can progress from harmless data retrieval to account access or order placement, increasing the chance of accidental financial actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The markdown mentions paper versus live trading and says to confirm with the user, but it does not prominently warn that live mode can place irreversible real-money trades. Insufficient warning increases the risk that users or downstream agents will invoke the skill without appreciating the consequences, particularly when `--force` can bypass confirmations. In a live brokerage context, weak warnings are a serious safety issue.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This reference documents order placement and cancellation capabilities for live and paper trading without any user-safety guidance, confirmation requirements, or warnings about irreversible financial consequences. In a trading skill, omission of such guardrails materially increases the risk of accidental or unauthorized trades, especially because the same API surface can affect real funds.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The `cancel all` path performs a destructive account operation with no confirmation prompt, making accidental or coerced invocation able to cancel every open order immediately. In a trading skill, this can materially alter trading strategy, interrupt exits/entries, and cause financial harm even without credential theft.

Missing User Warnings

Low
Confidence
85% confidence
Finding
Deleting a watchlist without confirmation allows accidental or unintended destruction of user state. While the impact is lower than order execution changes, it can still disrupt workflows and portfolio monitoring in a financial context.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Clearing all saved alerts overwrites the local alerts store immediately, so a mistaken command can destroy user-defined monitoring state without recovery. This is a safety and integrity issue rather than a confidentiality breach, but it is still a real destructive action.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
### GET /v2/orders/{order_id}
Get order by ID.

### DELETE /v2/orders/{order_id}
Cancel order.

### DELETE /v2/orders
Confidence
90% confidence
Finding
DELETE /v2/orders/{order_id}

Tool Parameter Abuse

High
Category
Tool Misuse
Content
### DELETE /v2/orders/{order_id}
Cancel order.

### DELETE /v2/orders
Cancel all orders.

## Order Types
Confidence
97% confidence
Finding
DELETE /v2/orders

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.