Back to skill
Skillv1.0.0
ClawScan security
IBKR CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 2:58 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements match its stated purpose (an Interactive Brokers CLI) and do not request unexplained credentials or perform unexpected network/exfiltration actions.
- Guidance
- This skill appears to do exactly what it claims: a local CLI for Interactive Brokers via ib_insync. Before installing/use: 1) Review and run tests in a safe environment (paper account) — the CLI can place/cancel real orders. 2) Install ib_insync from PyPI (pip install ib_insync) rather than running unknown install scripts. 3) Keep IBKR_HOST default (127.0.0.1) unless you intentionally want to connect to a remote IB Gateway/TWS; do not point it to untrusted remote hosts. 4) Inspect the code yourself if you are concerned — there are no obfuscated network calls or hidden endpoints, but trade-capable scripts carry financial risk if misused.
Review Dimensions
- Purpose & Capability
- okName/description describe an IBKR CLI and the repository contains Python and bash CLIs, legacy wrappers, and tests that implement account queries, market data, historical data, contract lookup, scanners, and order placement — all consistent with the stated purpose.
- Instruction Scope
- noteSKILL.md and the scripts limit actions to connecting to TWS/IB Gateway and performing IB operations. One notable capability: the CLI can place and cancel real orders, so use with caution (test in paper mode). The instructions do not attempt to read unrelated files or exfiltrate data to third-party endpoints; connection parameters can be overridden to point at arbitrary hosts (by design) — ensure you don't point it to untrusted remote endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only for environment setup). The SKILL.md recommends installing the well-known ib_insync package from PyPI; there are no downloads from arbitrary URLs or extract/remote install steps in the manifest.
- Credentials
- okNo required secrets or config paths are declared. The code accepts optional IBKR_HOST/IBKR_PORT/IBKR_CLIENT_ID/IBKR_ACCOUNT environment variables (documented) which are appropriate for configuring an IB connection. No unrelated credentials or high-privilege environment access is requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request persistent or elevated platform privileges. It does perform actions (including placing orders) when invoked, which is expected for a trading CLI.