alpaca-trading-mcp
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's installation documentation instructs users to download and execute an installation script for the 'uv' package manager from 'astral.sh', which is the official domain for the tool's developers.
- [REMOTE_CODE_EXECUTION]: The skill configuration utilizes 'uvx' to dynamically download and run the 'alpaca-mcp-server' package from the Python package registry. This is the standard method for deploying this MCP server.
- [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by design.
- Ingestion points: Untrusted external data is brought into the agent's context through tools like 'get_news', which fetches market news articles, and 'get_corporate_actions_announcements' (SKILL.md).
- Boundary markers: No specific delimiters or instructions to ignore embedded commands within the fetched market data are provided in the instructions.
- Capability inventory: The agent is granted highly sensitive capabilities, including the ability to place financial trades via 'post_orders' and liquidate assets via 'delete_positions_by_symbol_or_asset_id' (SKILL.md).
- Sanitization: The skill does not document any mechanisms for sanitizing or validating the content of the external news or market data before it is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata