中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
storyclaw-alpaca-trading
US stock and crypto trading via Alpaca API with paper trading and real trading support
Legitimate trading skill with minor documentation gaps and inconsistent credential handling patterns that don't constitute malicious behavior.
Skill Namestoryclaw-alpaca-trading
Duration49.5s
Enginepi
Safe to install
Document all scripts in SKILL.md, prefer environment variable usage over JSON file storage for credentials, and add explicit permission declarations for shell execution.

Findings 3 items

Severity Finding Location
Low
Undocumented strategy scripts Doc Mismatch
aggressive-strategy.js and momentum-strategy.js exist but are not mentioned in SKILL.md. Users cannot audit their behavior from documentation.
#!/usr/bin/env node /\**\n * Aggressive Trading Strategy
→ Document all available scripts in SKILL.md or remove undocumented scripts.
 scripts/aggressive-strategy.js:1
Low
Inconsistent credential handling Sensitive Access
momentum-strategy.js hardcodes config.json path and ignores environment variables, while main trading.js supports both. This creates user confusion and potential credential mishandling.
const CONFIG_PATH = path.join(__dirname, '..', 'config.json');
→ Use the same config-loader.js as trading.js for consistent credential handling.
 scripts/momentum-strategy.js:19
Info
Plaintext credential storage Sensitive Access
API keys stored in credentials/{USER_ID}.json files. While not unusual, environment variables are generally preferred for sensitive credentials.
{"apiKey": "", "apiSecret": ""}
→ Consider emphasizing environment variable usage (ALPACA_API_KEY, ALPACA_API_SECRET) in documentation.
 credentials/example.json:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned config-loader.js:32 - reads credentials/{USER_ID}.json
Network READ READ ✓ Aligned trading.js:60-95 - HTTPS requests to Alpaca API
Shell NONE WRITE ✗ Violation aggressive-strategy.js:13 - execSync('node trading.js ...')
Environment READ READ ✓ Aligned config-loader.js:18 - reads USER_ID/TELEGRAM_USER_ID
4 findings
🔗
Medium External URL 外部 URL
https://paper-api.alpaca.markets
SKILL.md:35
🔗
Medium External URL 外部 URL
https://data.alpaca.markets
SKILL.md:36
🔗
Medium External URL 外部 URL
https://api.alpaca.markets
SKILL.md:40
🔗
Medium External URL 外部 URL
https://app.alpaca.markets/brokerage/new-account
SKILL.md:96

File Tree

7 files · 34.8 KB · 1154 lines
JavaScript 4f · 1037L Markdown 1f · 105L JSON 2f · 12L
├─ 📁 credentials
│ └─ 📋 example.json JSON 6L · 131 B
├─ 📁 scripts
│ ├─ 📜 aggressive-strategy.js JavaScript 110L · 3.2 KB
│ ├─ 📜 config-loader.js JavaScript 59L · 1.9 KB
│ ├─ 📜 momentum-strategy.js JavaScript 395L · 11.2 KB
│ └─ 📜 trading.js JavaScript 473L · 15.1 KB
├─ 📋 config.example.json JSON 6L · 172 B
└─ 📝 SKILL.md Markdown 105L · 3.1 KB

Security Positives

✓ All network requests go to legitimate Alpaca API endpoints (paper-api.alpaca.markets, data.alpaca.markets)
✓ No base64 encoding, obfuscation, or anti-analysis techniques detected
✓ No credential exfiltration or external data transfer observed
✓ No sensitive paths (~/.ssh, ~/.aws, .env) accessed
✓ No reverse shell, C2, or reverse engineering indicators
✓ Clean codebase with no suspicious patterns