ClawHub

Alpaca Py Cli

Security checks across malware telemetry and agentic risk

Overview

This skill is for brokerage trading and is mostly transparent, but it gives agents broad setup, credential, and trading authority without enough safeguards.

Install only if you are comfortable giving an agent access to brokerage workflows. Use paper-trading keys first, avoid live credentials in shell startup files, do setup and API-key creation yourself when possible, and require explicit confirmation for every order with symbol, side, quantity, order type, and paper/live mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The README makes a misleading safety claim: it says agents cannot access keys directly, while elsewhere it states the keys are stored as environment variables accessible to shell processes. In an agent setting, this can cause users or integrators to overtrust the skill and permit shell access or setup actions under a false assumption that credentials are isolated.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The skill markets paper trading as the default and lower-risk mode, but the same document also provides normal operational guidance for live trading with real money. That mismatch can cause agents or users to underestimate financial risk and proceed with real trades under a false sense of safety.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document labels `alpaca init` as safe and non-interactive, yet places it inside an agent workflow that proceeds to browser automation, account registration, and API-key acquisition. This framing can mislead an agent into treating the overall setup flow as low risk, even though it culminates in sensitive credential handling and account creation actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quick-start section presents `alpaca init` as a simple first step without repeating the nearby consent and credential-storage warnings. Users or agents following only the quick-start path may run a command that alters shell startup files and persists API keys without fully understanding the side effects.

Missing User Warnings

High
Confidence
98% confidence
Finding
The agent workflow explicitly instructs the agent to run `alpaca init` as part of setup, but omits the required consent gate and the fact that the command changes shell config and persists credentials. In an AI-agent context, this is especially dangerous because it normalizes autonomous credential-handling behavior and could lead to unauthorized modification of user environments or exposure of trading secrets.

Vague Triggers

Medium
Confidence
64% confidence
Finding
A broad activation example such as a user expressing interest in trading can cause an agent to invoke the skill and begin account setup or trading-adjacent actions without sufficiently specific authorization. In a finance context, ambiguous activation is more dangerous because it can lead to credential handling or monetary operations from casual intent.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documentation describes buy and sell commands as normal usage without an explicit requirement for transaction-specific user confirmation. In a trading skill, omission of that safeguard can enable unintended market orders and direct financial loss if an agent acts on an ambiguous request or stale context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The automated setup section normalizes browser automation for registration, email verification, key generation, and key extraction without a strong warning at the point of use. That omission is dangerous because it encourages agents to perform sensitive identity and credential operations as routine automation rather than exceptional, consent-gated actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup explicitly instructs users to save Alpaca API credentials into shell startup files such as ~/.zshrc, ~/.bashrc, or ~/.profile without warning about the security tradeoffs. Those files are commonly readable by other local processes, copied into backups, echoed during debugging, or accidentally committed/synced, so storing long-lived trading credentials there increases exposure risk.

Ssd 3

High
Confidence
97% confidence
Finding
The skill explicitly instructs agents to obtain API keys via browser automation and then save them for reuse. This is dangerous because it authorizes the agent to collect and persist highly sensitive trading credentials, increasing the risk of credential theft, misuse, and unauthorized account access.

Ssd 4

High
Confidence
96% confidence
Finding
The workflow incrementally treats account signup, email verification, API-key generation, extraction, and persistence as standard agent duties. This normalizes a full sensitive-account bootstrap pipeline, expanding the blast radius from simple documentation into end-to-end credentialed account control by the agent.

Ssd 3

High
Confidence
98% confidence
Finding
The example flow concretely tells the agent to navigate to the API keys page, generate credentials, extract them, and configure the environment. This provides operational instructions for handling secrets in a way that can directly compromise a user's brokerage account if the agent, logs, or environment are exposed.

Ssd 3

High
Confidence
97% confidence
Finding
The quick summary presents registration completion and API-key extraction as part of standard agent operation. Because this is positioned as concise guidance, it is especially likely to be followed verbatim, leading to routine automated collection of sensitive brokerage credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal