IBKR Trader Toolkit
WarnAudited by ClawScan on May 13, 2026.
Overview
This appears to be a legitimate IBKR portfolio/options analysis toolkit, but its alert feature evaluates local rule text as Python code, which is unsafe if that file is ever modified or poisoned.
Install only if you are comfortable giving the agent read-only access to IBKR market and portfolio data. Enable IBKR Gateway's Read-Only API mode, keep it localhost-only, and avoid running alerts_monitor.py on any alert YAML you have not personally reviewed. The alert-rule eval issue should be fixed before using the monitor as a recurring cron job.
Publisher note
This skill is a read-only client for Interactive Brokers (IBKR) trading data. Behaviors that may look unusual to ClawScan: 1. Network access — connects to local IB Gateway (127.0.0.1:4001) for account data, and api.nasdaq.com for the public earnings calendar (no key). Optional Finnhub fallback if user provides FINNHUB_API_KEY. 2. User-data file access — reads/writes ~/.ibkr_wheel_journal.json, ~/.ibkr_alerts.yaml, and ~/.ibkr_flex/*.csv. These are local config/journal files owned by the user, never transmitted. 3. Read-only by design — ib_async is initialized with readonly=True; IBKR Gateway's "Read-Only API" toggle provides a second layer. The skill cannot place, modify, or cancel orders. Source: https://github.com/AlexLiu0130/ibkr-trader-toolkit
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A poisoned alert rule could run unintended Python code under the user's account, especially if the user runs the alert monitor periodically via cron.
The script evaluates alert conditions from a user-writable YAML config as Python code. Even with limited builtins, Python eval is difficult to sandbox safely and can be abused if the config file is modified by malware, another tool, or an untrusted sync source.
return bool(eval(condition, safe_globals, safe_locals)), None
Do not run alerts_monitor.py on unreviewed alert files. The publisher should replace eval with a safe expression parser or strict AST whitelist that only permits numeric comparisons and boolean operators.
The agent may access live brokerage positions, P&L, and market data when answering trading questions.
The skill connects to a logged-in Interactive Brokers environment and reads account/portfolio data. This is expected for an IBKR trading assistant, and the artifacts state it is read-only, but brokerage account data is sensitive and high-impact.
Read IBKR config from env vars (`IBKR_HOST`, `IBKR_PORT`, `IBKR_CLIENT_ID_BASE`, `IBKR_MARKET_DATA_TYPE`) ... Are read-only — they can never place orders
Use a paper or read-only IBKR Gateway session when possible, keep the Gateway restricted to localhost, and confirm the IBKR Read-Only API setting is enabled.
The agent may consult IBKR data for trading-related questions even when the user did not explicitly request an IBKR lookup.
The skill gives broad invocation guidance that can steer the agent toward IBKR account lookups for portfolio/P&L questions. This is aligned with the skill purpose, but it increases the chance of using brokerage data when the user's intent is ambiguous.
Fire **even if the user doesn't mention IBKR** — if they're asking about *their* positions or P&L, this skill is the source of truth.
Ask for confirmation before accessing account-specific data when the user's request is ambiguous or could be answered without brokerage account access.
Local journal entries can influence future analysis and may reveal financial trading history if the file is exposed.
The toolkit uses persistent local financial journal data to produce future wheel-strategy summaries. This is purpose-aligned, but the data is sensitive and can affect future recommendations if edited incorrectly.
The script reads `~/.ibkr_wheel_journal.json` (your manual entries) and cross-references live positions from IBKR
Keep local IBKR journal and alert files private, review changes before relying on summaries, and avoid syncing them to untrusted locations.
Different users may install different dependency versions, which can affect behavior or supply-chain exposure.
The README documents pip installation, and several Python dependencies are specified with minimum versions rather than exact pinned versions. This is common, but it leaves dependency resolution to the user's environment.
pandas>=2.2 numpy>=2.0 pyyaml>=6.0 python-dotenv>=1.0 requests>=2.31
Install in a virtual environment, review dependencies, and prefer a lockfile or fully pinned versions for production use.