MCP Observatory
github analyzed 397cf36

alpacahq/alpaca-mcp-server

github

Alpaca’s official MCP Server lets you trade stocks, ETFs, crypto, and options, run data analysis, and build strategies in plain English directly from your favorite LLM tools and IDEs

maintainer
alpacahq
license
MIT
first seen
2026-06-01
last seen
2026-06-05
releases · 30d
0
short id
risk 52/100 · heuristic grade
C elevated
  • capability exposureinferred+28
  • recent driftinferred+12
  • tool safetyinferred+12

inferred

The A–E grade is our heuristic synthesis — a "review this" prompt, not a verdict. Each factor is tagged by what backs it: attested (a verifiable record), reported (a third party's claim), or inferred (our own heuristic, e.g. permissions). See methodology.

graded 13m ago · see ecosystem CVEs →

risk trajectory 1 movements
  • A · 0C · 52
capability exposure grade factor +28
Inferred surface — each links to servers holding it:
vulnerabilities 0 CVEs

No known CVEs for this server.

tool safety 1 findings · grade factor +12
  1. highdangerous code

    dynamic exec: eval()/exec()

skills & danger signals github-tarball
prompt-surface shipped agent-instruction files + hidden-content / dangerous-code findings — quoted from the analyzed source

analyzed commit 397cf36 · analyzer v18 · 7h ago

skills & prompt files 1

danger signals1

other grade factors evidence elsewhere
embed badge readme-ready
live risk-grade badge preview [![MCP Observatory risk grade](https://mcpobservatory.com/servers/github:alpacahq/alpaca-mcp-server/badge.svg)](https://mcpobservatory.com/servers/github:alpacahq/alpaca-mcp-server/security)

Heuristic, inferred signals — false positives (legitimately powerful tools, forks, language ports) are expected. Treat each as "review this", not a verdict. See the ecosystem-wide picture on the security hub, or the fleet security of alpacahq.