IBKR Trading
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill matches its IBKR trading purpose, but it needs review because it can use brokerage credentials to place and automatically confirm trades while keeping the session alive.
Review carefully before installing. Start only with an IBKR paper account, protect the .env credential file, disable or tightly control the keepalive cron job, and modify the bot so every trade and IBKR confirmation requires explicit human approval with clear size and account limits.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bot or agent using this helper could submit and confirm trades that affect a real brokerage account, potentially causing financial loss.
The trading wrapper automatically accepts IBKR order confirmation prompts after placing an order. That is high-impact financial mutation without a clear per-order user approval or safety limit.
if result[0].get("messageIds"):
# Confirm the order
confirm = self._post(f"/v1/api/iserver/reply/{result[0]['id']}", {
"confirmed": True
})Require explicit user approval for every order and confirmation, default to paper trading, add account and quantity limits, and remove or gate the automatic confirmation behavior.
Anyone who can read the .env file or access the running session may be able to act through the user’s IBKR account.
The skill asks the user to store IBKR login credentials locally for automated authentication. This is expected for IBeam/IBKR access, but these are high-value financial credentials.
Create `~/trading/.env`: ```bash IBEAM_ACCOUNT=your_username IBEAM_PASSWORD='your_password' ```
Use a paper account first, restrict file permissions on .env, avoid sharing the trading directory, and understand that the skill will operate with brokerage account authority.
The IBKR session may remain active longer than expected, increasing the time window in which automated code can act on the account.
The script is designed for recurring background execution and can trigger the authentication script when the session expires. This is disclosed, but it extends brokerage session persistence.
Run via cron every 5 minutes to keep session active.
...
subprocess.Popen(["bash", auth_script],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)Only enable the cron job intentionally, monitor it, provide a clear stop/logout procedure, and disable keepalive when automated trading is not needed.
Compromised or changed upstream packages could affect a trading environment that has brokerage access.
The user-run setup downloads the IBKR gateway and installs unpinned Python packages. This is consistent with the skill’s purpose, but it adds external dependency/provenance risk.
wget -q https://download2.interactivebrokers.com/portal/clientportal.gw.zip ... pip install -q ibeam requests urllib3
Verify the IBKR download, pin Python package versions, use a dedicated virtual environment, and review dependencies before using the bot with a live account.