← Back to Skills Marketplace
296
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install storyclaw-alpaca-trading
Description
US stock and crypto trading via Alpaca API. Paper trading (simulated) and real trading supported. Real-time quotes, orders, positions, RSI strategy.
Usage Guidance
This skill is capable of placing real market orders via Alpaca and includes an aggressive, all‑in strategy. Before installing: (1) only supply paper-trading API keys and test thoroughly in paper mode, (2) inspect or remove aggressive-strategy.js if you don't want automated 'buy max' behavior, (3) verify where the code is loading credentials (credentials/{USER_ID}.json vs config.json vs env vars) so you don't accidentally expose or use live keys, (4) do not allow autonomous agent invocation to run trades without an explicit, human confirmation step, and (5) run the code in a sandboxed environment first. If you want to proceed, test each command manually with paper keys and confirm the bot never runs unattended.
Capability Analysis
Type: OpenClaw Skill
Name: storyclaw-alpaca-trading
Version: 0.1.0
The skill bundle contains a path traversal vulnerability in `scripts/config-loader.js`, where the `USER_ID` or `TELEGRAM_USER_ID` environment variable is used to construct a file path (`credentials/{USER_ID}.json`) without sanitization. Additionally, `scripts/aggressive-strategy.js` utilizes `execSync` to execute shell commands constructed from script logic, which is a high-risk pattern. While the bundle appears to be a functional Alpaca trading tool, these vulnerabilities could be exploited to read unauthorized files or execute arbitrary code if environment variables are manipulated.
Capability Assessment
Purpose & Capability
Name/description (Alpaca trading) match the included Node scripts which call Alpaca APIs. Requested binary 'node' is appropriate. However, the metadata and SKILL.md declare ALPACA_API_KEY/ALPACA_API_SECRET env vars, while the code primarily loads per-user credentials from credentials/{USER_ID}.json (config-loader) and momentum-strategy even reads a repo-level config.json — this is inconsistent and may cause accidental use of the wrong credential source.
Instruction Scope
SKILL.md instructs the agent to always ask and require explicit confirmation before executing trades, but the scripts themselves (trading.js, momentum-strategy.js, aggressive-strategy.js) will submit market orders when invoked. The instruction set relies on human-in-the-loop behavior but does not enforce it programmatically. Commands and examples reference USER_ID / TELEGRAM_USER_ID; config-loader requires USER_ID or TELEGRAM_USER_ID environment variables — this coupling may be surprising and could lead to running with unintended credentials or without explicit confirmation.
Install Mechanism
No install spec or external downloads are declared (instruction-only plus included source files). No suspicious external URLs or extract operations. The highest-risk install patterns are not present.
Credentials
The skill declares ALPACA_API_KEY and ALPACA_API_SECRET (appropriate for Alpaca), but the code mainly expects per-user credential files (credentials/{USER_ID}.json) and momentum-strategy reads config.json from the repo root. This mismatch can lead to confusion about where to place secrets and increases the chance of accidentally exposing or using the wrong API keys. The number of secrets requested is minimal and appropriate for trading, but the credential-loading behavior is inconsistent and could cause accidental use of live trading credentials.
Persistence & Privilege
always:false (good). disable-model-invocation:false (default) allows the agent to call the skill autonomously; combined with the skill's ability to place market orders, that expands blast radius. This is not a platform misconfiguration by itself, but you should treat the skill as capable of performing impactful actions if the agent is allowed to invoke it without manual confirmation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install storyclaw-alpaca-trading - After installation, invoke the skill by name or use
/storyclaw-alpaca-trading - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of storyclaw-alpaca-trading.
- Enables US stock and crypto trading via the Alpaca API, supporting both paper (simulated) and real trading
- Provides real-time quotes, order management, position tracking, and technical indicators like RSI
- Enforces critical safety rules: explicit user confirmation required for all trades and plans
- Supports multiple users with individual credentials and environment variable configuration
- Includes command-line scripts for account checks, trading, strategy, and market data queries
Metadata
Frequently Asked Questions
What is Storyclaw Alpaca Trading?
US stock and crypto trading via Alpaca API. Paper trading (simulated) and real trading supported. Real-time quotes, orders, positions, RSI strategy. It is an AI Agent Skill for Claude Code / OpenClaw, with 296 downloads so far.
How do I install Storyclaw Alpaca Trading?
Run "/install storyclaw-alpaca-trading" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Storyclaw Alpaca Trading free?
Yes, Storyclaw Alpaca Trading is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Storyclaw Alpaca Trading support?
Storyclaw Alpaca Trading is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Storyclaw Alpaca Trading?
It is built and maintained by Parker (@patches429); the current version is v0.1.0.
More Skills