ClawHub

Ibkr Options Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a broker-connected trading skill with real order and cancellation capability, and its documentation contains conflicting read-only claims that users should review before installing.

Install only if you understand that this skill can access sensitive IBKR account data and includes a live trading script. Keep IB Gateway in paper or read-only mode unless you intentionally want trading, review trade.py before enabling IBKR_TRADING_ENABLED, avoid broad auto-use for casual market questions, and treat any JSON output files as brokerage statements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README presents contradictory security claims: it says the toolkit is read-only by design, yet separately documents a `trade.py` component that can place live orders. In a trading assistant, misleading users or downstream agents about execution capability is dangerous because it can cause them to trust the skill in contexts where order placement should be explicitly prohibited or separately approved.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The disclaimer states the toolkit does not place orders and never calls `placeOrder()`, directly contradicting the earlier trading-mode documentation. False assurances in a broker-connected skill are security-relevant because they can cause users, reviewers, or orchestrating agents to underestimate the risk of enabling or invoking the skill in environments with live account access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README explicitly documents a `trade.py` capability that can place or cancel orders, while the skill metadata presents the skill as an analytics/trading-assistant toolkit and repeatedly emphasizes read-only behavior elsewhere. This scope mismatch is dangerous because an agent or integrator may grant the skill broader trust than intended and unknowingly expose order-entry functionality against a live brokerage account.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The disclaimer states the repository is read-only and 'never calls `placeOrder()`', but earlier sections describe a `trade.py` script that can submit orders when flags are enabled. This contradiction can mislead reviewers, users, and agent frameworks into treating the skill as non-transactional, creating a serious risk of unauthorized or unexpected order execution on a real IBKR account.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation exposes futures and forex trading workflows even though the skill metadata frames the assistant around options and stocks. This scope expansion is dangerous because an orchestrator or user may invoke unsupported high-risk asset classes through the same skill, bypassing intended capability boundaries and increasing the chance of unauthorized or unexpectedly leveraged trading actions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file states that `trade.py` can place real orders and also documents cancellation behavior, while the skill description presents the assistant primarily as an analysis and recommendation tool. That mismatch is security-relevant because systems or users may grant the skill broader trust than intended, leading to real-money order placement or order management without clear disclosure in the manifest-level contract.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The code explicitly exempts the cancel command from the trading safety gates and labels it as 'intrinsically safe,' but order cancellation mutates live trading state and can materially affect execution outcomes. In a trading assistant context, an unexpected or induced cancellation can remove protective orders, disrupt strategies, or alter risk exposure without requiring the same confirmation path as order placement.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata frames the capability as an analysis and recommendation assistant, but this file contains live trade placement and cancellation logic across equities, options, futures, and FX. That mismatch is dangerous because downstream systems or users may invoke the skill expecting read-only analysis, while the code is capable of executing real-money actions if its gates are satisfied, significantly increasing the risk of unintended financial transactions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger scope is overly broad, instructing activation for generic finance-related requests, including stock price queries even when the user does not explicitly mention IBKR. In the context of a skill with access to portfolio data and optional trade execution, broad auto-activation increases the chance of unnecessary invocation, unintended disclosure of sensitive brokerage context, or accidental routing into higher-risk functionality.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The disclaimer downplays or omits the fact that the skill can place live trades when trading mode is enabled. For a broker-integrated assistant, understated execution capability materially increases user and agent miscalibration, making accidental use of an order-capable component more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The trigger guidance encourages broad automatic invocation for requests about options, risk, P&L, and account data, but does not foreground that using the skill will access and expose sensitive brokerage data to the agent context. In a brokerage skill, this omission is risky because users may trigger the skill casually without realizing positions, Greeks, balances, or P&L could be ingested into model context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger language is broad enough to activate on generic trading questions, not just authenticated IBKR-account tasks. That creates unnecessary exposure of account-linked tools and can cause the agent to route ordinary market questions into a more privileged skill, increasing the chance of over-collection, unintended account access, or use of riskier tooling than needed.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Directing the agent to fire whenever a user asks about 'their' positions or P&L, even without mentioning IBKR, weakens scope boundaries and encourages implicit use of brokerage-linked data. In a financial skill with access to live account state and potential trade execution paths, this increases the risk of unauthorized or surprising access to sensitive account information and can steer users into a higher-stakes workflow without clear consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This file provides detailed, prescriptive options-trading rules and strategy recommendations, including leverage, undefined-risk trades, earnings plays, and position-sizing heuristics, but it does not include clear risk disclosures, suitability constraints, or warnings about substantial financial loss. In the context of an IBKR trading assistant that is explicitly intended to guide real users on buy/sell decisions and account-linked risk, the omission materially increases the chance that users treat educational heuristics as actionable advice and incur significant losses.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This strategy library is part of a trading assistant that can guide users toward specific options trades, yet it presents risky strategies and selection logic without a general suitability, loss, or educational-only warning. In this context, omission of cautionary disclosures can materially increase the chance that users follow unsafe recommendations they do not understand, especially retail users attracted by simplified labels like rookie/intermediate/expert.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document includes explicitly unlimited-risk strategies such as short straddles and short strangles, but lacks a clear, centralized cautionary warning section highlighting margin, assignment, gap risk, and potentially catastrophic losses. Because this file feeds an IBKR trading assistant that may rank and suggest strategies, the absence of strong warnings makes the content more dangerous than a neutral textbook reference.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script can write triggered alerts, including portfolio-derived values such as unrealized P&L, delta, IV, DTE, and prices, to any path provided via --output. In a trading-assistant context this is sensitive financial telemetry, and allowing arbitrary file destinations increases the chance of accidental disclosure, unsafe permissions, or overwriting files in shared environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When a portfolio file is supplied, the script extracts symbols from positions and sends them to external APIs without explicit user consent or a warning. Even though only tickers are transmitted, they can reveal holdings or trading interests, which is sensitive in a brokerage/options assistant context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes highly sensitive brokerage data, including positions, account identifiers, P&L, and portfolio Greeks, to any caller-supplied path with no warning, path restrictions, or permission checks. In an agent/tooling context, this creates a real data-exposure risk because another component or prompt-driven workflow could direct output to an unsafe location, where financial data may be persisted, shared, or later exfiltrated.

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
76% confidence
Finding
pyyaml

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
82% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal