Security Audit
lacymorrow/alpaca-trading-skill:root
github.com/lacymorrow/alpaca-trading-skillTrust Assessment
lacymorrow/alpaca-trading-skill:root received a trust score of 89/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Unpinned Package Installation, Unsafe Shell Command Construction.
The analysis covered 4 layers: dependency_graph, llm_behavioral_safety, manifest_analysis, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 8, 2026 (commit ec07d129). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Package Installation The skill instructs the installation of the 'apcacli' crate via 'cargo install' without specifying a version number. This exposes the user to supply chain risks if a malicious update is pushed to the package registry or if the package name is hijacked. Specify a specific version number (e.g., `cargo install apcacli --version X.Y.Z`) to ensure reproducible and secure installations. | Unknown | SKILL.md:66 | |
| MEDIUM | Unsafe Shell Command Construction The skill instructs the agent to construct shell commands based on user input (e.g., ticker symbols) without providing input validation guidelines. If the agent blindly inserts user-provided text into the command line arguments, it could allow for command injection via shell metacharacters (e.g., '; rm -rf /'). Add explicit instructions to the skill to validate that inputs (like symbols) consist only of alphanumeric characters before constructing the command. | Unknown | SKILL.md:116 |
Scan History
Embed Code
[](https://skillshield.io/report/3c6f14fe62100987)
Powered by SkillShield