alpaca

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFE
Full Analysis
  • [DATA_EXPOSURE]: The skill accesses a local .env file to retrieve API keys. This is documented as a standard and recommended practice for secret management within the execution environment.
  • Evidence: The load_env() function in scripts/alpaca_cli.py targets Path(__file__).resolve().parents[3] / ".env".
  • [EXTERNAL_DOWNLOADS]: The skill requires the alpaca-py library, which is the official Python SDK for the well-known Alpaca brokerage service.
  • Evidence: package: alpaca-py is listed in the SKILL.md metadata and installation instructions.
  • [COMMAND_EXECUTION]: The skill facilitates trading and market data retrieval through a Python CLI script. All network communication is directed to well-known Alpaca API endpoints (paper-api.alpaca.markets and api.alpaca.markets).
  • Evidence: The script implements commands like place, cancel, and quote, and includes a mandatory --confirm-live safety flag for any operations involving real currency.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 09:26 PM
Security Audit — agent-trust-hub — alpaca