← 返回 Skills 市场
296
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install storyclaw-alpaca-trading
功能描述
US stock and crypto trading via Alpaca API. Paper trading (simulated) and real trading supported. Real-time quotes, orders, positions, RSI strategy.
安全使用建议
This skill is capable of placing real market orders via Alpaca and includes an aggressive, all‑in strategy. Before installing: (1) only supply paper-trading API keys and test thoroughly in paper mode, (2) inspect or remove aggressive-strategy.js if you don't want automated 'buy max' behavior, (3) verify where the code is loading credentials (credentials/{USER_ID}.json vs config.json vs env vars) so you don't accidentally expose or use live keys, (4) do not allow autonomous agent invocation to run trades without an explicit, human confirmation step, and (5) run the code in a sandboxed environment first. If you want to proceed, test each command manually with paper keys and confirm the bot never runs unattended.
功能分析
Type: OpenClaw Skill
Name: storyclaw-alpaca-trading
Version: 0.1.0
The skill bundle contains a path traversal vulnerability in `scripts/config-loader.js`, where the `USER_ID` or `TELEGRAM_USER_ID` environment variable is used to construct a file path (`credentials/{USER_ID}.json`) without sanitization. Additionally, `scripts/aggressive-strategy.js` utilizes `execSync` to execute shell commands constructed from script logic, which is a high-risk pattern. While the bundle appears to be a functional Alpaca trading tool, these vulnerabilities could be exploited to read unauthorized files or execute arbitrary code if environment variables are manipulated.
能力评估
Purpose & Capability
Name/description (Alpaca trading) match the included Node scripts which call Alpaca APIs. Requested binary 'node' is appropriate. However, the metadata and SKILL.md declare ALPACA_API_KEY/ALPACA_API_SECRET env vars, while the code primarily loads per-user credentials from credentials/{USER_ID}.json (config-loader) and momentum-strategy even reads a repo-level config.json — this is inconsistent and may cause accidental use of the wrong credential source.
Instruction Scope
SKILL.md instructs the agent to always ask and require explicit confirmation before executing trades, but the scripts themselves (trading.js, momentum-strategy.js, aggressive-strategy.js) will submit market orders when invoked. The instruction set relies on human-in-the-loop behavior but does not enforce it programmatically. Commands and examples reference USER_ID / TELEGRAM_USER_ID; config-loader requires USER_ID or TELEGRAM_USER_ID environment variables — this coupling may be surprising and could lead to running with unintended credentials or without explicit confirmation.
Install Mechanism
No install spec or external downloads are declared (instruction-only plus included source files). No suspicious external URLs or extract operations. The highest-risk install patterns are not present.
Credentials
The skill declares ALPACA_API_KEY and ALPACA_API_SECRET (appropriate for Alpaca), but the code mainly expects per-user credential files (credentials/{USER_ID}.json) and momentum-strategy reads config.json from the repo root. This mismatch can lead to confusion about where to place secrets and increases the chance of accidentally exposing or using the wrong API keys. The number of secrets requested is minimal and appropriate for trading, but the credential-loading behavior is inconsistent and could cause accidental use of live trading credentials.
Persistence & Privilege
always:false (good). disable-model-invocation:false (default) allows the agent to call the skill autonomously; combined with the skill's ability to place market orders, that expands blast radius. This is not a platform misconfiguration by itself, but you should treat the skill as capable of performing impactful actions if the agent is allowed to invoke it without manual confirmation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install storyclaw-alpaca-trading - 安装完成后,直接呼叫该 Skill 的名称或使用
/storyclaw-alpaca-trading触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of storyclaw-alpaca-trading.
- Enables US stock and crypto trading via the Alpaca API, supporting both paper (simulated) and real trading
- Provides real-time quotes, order management, position tracking, and technical indicators like RSI
- Enforces critical safety rules: explicit user confirmation required for all trades and plans
- Supports multiple users with individual credentials and environment variable configuration
- Includes command-line scripts for account checks, trading, strategy, and market data queries
元数据
常见问题
Storyclaw Alpaca Trading 是什么?
US stock and crypto trading via Alpaca API. Paper trading (simulated) and real trading supported. Real-time quotes, orders, positions, RSI strategy. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 296 次。
如何安装 Storyclaw Alpaca Trading?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install storyclaw-alpaca-trading」即可一键安装,无需额外配置。
Storyclaw Alpaca Trading 是免费的吗?
是的,Storyclaw Alpaca Trading 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Storyclaw Alpaca Trading 支持哪些平台?
Storyclaw Alpaca Trading 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Storyclaw Alpaca Trading?
由 Parker(@patches429)开发并维护,当前版本 v0.1.0。
推荐 Skills