alpaca-trading-mcp

The skill is purpose-aligned and mainly uses official sources, so it does not look malicious. However, it is still high-impact because it installs external tooling, forwards brokerage credentials to a package/runtime, and enables autonomous financial actions including live trading; classify as BENIGN in intent but MEDIUM/HIGH security risk.