IBKR CLI
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill matches its IBKR trading purpose, but it can read brokerage account data and submit or cancel orders without clear built-in approval or scoping safeguards.
Review carefully before installing. Use paper trading first, set explicit host/port/client/account values, use read-only mode for data requests, and do not allow any order or cancellation unless you personally confirm the exact account, symbol, side, quantity, order type, and price.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent invokes the trading commands incorrectly, it could submit or cancel brokerage orders and cause financial loss.
Order placement and cancellation are first-class documented commands; the artifacts do not pair these high-impact financial actions with mandatory confirmation, dry-run, paper-only enforcement, or transaction limits.
python3 scripts/ibkr_cli.py place-order --symbol AAPL --sec-type STK --action BUY --quantity 10 --order-type MKT ... python3 scripts/ibkr_cli.py cancel-order --order-id 12345
Require explicit user confirmation for every order or cancellation, default to dry-run or paper trading, add order-size/account limits, and consider disabling autonomous model invocation for trading actions.
The skill can operate under the user’s active IBKR account session, which may expose balances, positions, executions, and trading authority.
The skill depends on delegated brokerage account/API authority, while the account is optional and may default to whatever the active TWS/Gateway session exposes.
- Interactive Brokers account with API permissions. - TWS or IB Gateway running with API enabled. ... - `IBKR_ACCOUNT` (optional)
Declare the brokerage credential/session requirement clearly, require an explicit account and port for trading, and default read-only for non-trading workflows.
A compromised or unexpected dependency version could affect code that has access to IBKR trading workflows.
The dependency is purpose-aligned, but the install instruction is unpinned and lacks hash verification, which matters more for a skill that can control a brokerage account.
`ib_insync` installed: ```bash pip install ib_insync ```
Install dependencies in a trusted environment, pin known-good versions, and verify package provenance before using with a real brokerage account.