trading-execution

This document is a functional skill spec enabling programmatic trading via a third-party service at https://b.alph.ai using a browser session cookie for authentication. The primary security concerns are credential exposure (exporting a full-session browser cookie), centralizing sensitive operations to a single remote service, lack of enforced per-action confirmation, and absence of least-privilege credential guidance. There is no direct evidence of embedded malware or code obfuscation in the provided text, but the authentication pattern and operational model present a meaningful supply-chain and account compromise risk. Recommendations: do not use exported browser session cookies; require scoped, short-lived API credentials (or OAuth) with limited scopes; enforce user confirmation at the host level for any funds-moving action; validate and vet b.alph.ai before trusting with credentials; add guidance on credential rotation, audit logging, and minimizing retained sensitive data.