alpaca-trading
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation provides instructions to download the Rust toolchain installer from the official
rustup.rsdomain, a standard procedure for setting up the environment required by theapcaclitool. - [CREDENTIALS_UNSAFE]: The README and SKILL files suggest storing sensitive Alpaca API keys in environment variables and persisting them in shell profile files like
~/.zshrc, resulting in plain-text storage on the user's machine. - [COMMAND_EXECUTION]: The skill facilitates the execution of the
apcaclibinary for various financial operations, including buying and selling assets and managing portfolios through command-line inputs. - [REMOTE_CODE_EXECUTION]: Installation instructions include a command that pipes a remote script from
https://sh.rustup.rsinto the shell. This is recognized as a standard installation path for the Rust programming language toolchain.
Audit Metadata