ClawHub

IBKR Autonomous Trader

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate IBKR trading skill, but it needs Review because it can affect real brokerage positions and has under-scoped automatic trading controls.

Install only if you intentionally want an autonomous IBKR trading agent. Keep it in paper trading, keep IBKR read-only unless you are deliberately testing orders, and review or remove automatic shutdown liquidation and automatic strategy-parameter application before any live use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document promises that parameter changes will not affect live execution until validated, but elsewhere it describes applying improvements and changing active configuration state. In an autonomous trading skill, this inconsistency can cause operators or downstream code to assume a safety gate exists when strategy parameters may in fact be changed and used, increasing the risk of unintended trading behavior.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The safety note implies rollback is achieved by resetting `current_version`, but the example states that configuration files must also be manually updated. This mismatch creates a dangerous false sense of recoverability: operators may believe they have reverted strategy behavior while the active config still uses modified parameters, leading to continued unintended trading decisions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger language is overly broad, including generic terms like "trade" and instructions to always use the skill for any trading-related task, even exploratory ones. This can cause the skill to activate in contexts where the user only wants discussion or education, unnecessarily exposing broker connectivity, autonomous execution logic, and stateful trading workflows. Because this skill is for automated trading, accidental invocation carries elevated risk compared with a benign informational skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly instructs users to disable the broker platform's read-only safety control in order to place orders, and it also documents live-trading ports without a prominent warning about the risk of sending real market orders. In an autonomous trading skill, this increases the chance that a user or downstream agent enables live execution unintentionally, which can cause real financial loss even without any exploit beyond normal use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes executable examples that place, modify, and cancel IBKR orders, including bracket and stop orders, without prominent warnings that these APIs can affect a live brokerage account if connected outside a paper-trading environment. In a skill explicitly designed for autonomous trading, users may copy these snippets directly, increasing the chance of unintended real-market activity, financial loss, or position-management errors.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The method performs an emergency liquidation of every open position immediately, with no confirmation gate, dry-run mode, caller authorization check, or explicit user-facing acknowledgement at the point of execution. In an autonomous trading skill connected to IBKR, an accidental invocation, prompt-manipulated trigger, or logic bug could rapidly flatten the entire portfolio and realize losses or disrupt active strategies.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The shutdown path unconditionally calls close_all_positions() in the finally block, which means any exception, interrupt, or failed startup state can trigger automated liquidation without a fresh operator acknowledgment at the call site. In an autonomous trading skill, this is especially dangerous because unexpected exits, transient faults, or misconfiguration could cause involuntary order placement and portfolio changes at exactly the moment the system is unstable.

VirusTotal

No VirusTotal findings

View on VirusTotal