alpaca-trading

The README/skill is a legitimate operational guide for apcacli with no direct signs of intentional malware or obfuscation. Primary concerns are operational security and supply-chain risk: (1) use of curl|sh to install rustup and reliance on cargo install create supply-chain and installation-time exposure; (2) API keys are high-value secrets passed via environment variables and could be exfiltrated or misused if scripts or agents capture them; (3) the CLI can autonomously perform real trades and the docs include scripting/streaming examples that enable unattended automation — risky without strict runtime confirmations, access controls, and use of paper keys. Recommended mitigations: avoid piping installers, verify checksums/signatures, use paper keys for testing, manage secrets with a vault or restricted process, require explicit human confirmation for live trades, audit apcacli source before installing, and restrict which agents/processes can execute trading commands.