ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

IBKR Trading

v1.0.0

Interactive Brokers (IBKR) trading automation via Client Portal API. Use when setting up IBKR account access, authenticating sessions, checking portfolio/positions, or building trading bots. Handles IBeam automated login with IBKR Key 2FA.

11· 3.1k·16 current·16 all-time
by@flokiew
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description match the included code and instructions (IBKR Client Portal + IBeam automation). However the registry metadata declares no required environment variables, no credentials, and no required binaries, while the SKILL.md and scripts clearly require Java, Chrome/Chromium + chromedriver, Xvfb, a Python venv, and explicit IBKR credentials (IBEAM_ACCOUNT, IBEAM_PASSWORD, IBKR/IBEAM-related envs). The manifest omission is an incoherence: a trading automation skill legitimately needs those local binaries and credentials, so they should be declared.
!
Instruction Scope
The runtime instructions and scripts direct the agent/user to download and run the IBKR Client Portal Gateway, run ibeam to perform automated login, create a plaintext ~/.env containing IBEAM_ACCOUNT and IBEAM_PASSWORD, start Xvfb, and schedule a cron keepalive that may trigger re-auth. All actions are within the stated purpose, but the instructions ask the user to store credentials in plaintext and repeatedly automate 2FA approval flows; the SKILL.md does not explicitly call out the sensitive nature of these steps. The keepalive script will automatically call authenticate.sh if the session expires, which may repeatedly launch auth flows (requiring phone approval).
Install Mechanism
There is no packaged install spec, but the setup.sh downloads the Client Portal Gateway from download2.interactivebrokers.com (an official-looking IBKR domain) and installs Python packages via pip (ibeam, requests, urllib3). No obfuscated download URLs, no pastebin/shorteners, and ZIP extraction is from an official host — this is expected for this use case. Still: users should verify the official download URL and, if possible, checksum/signature of the archive.
!
Credentials
The published skill declares no required env vars or primary credential, but the instructions and scripts require multiple sensitive environment variables (IBEAM_ACCOUNT, IBEAM_PASSWORD, IBEAM_GATEWAY_DIR, IBEAM_CHROME_DRIVER_PATH, IBEAM_TWO_FA_SELECT_TARGET, IBKR account id via IBKR_ACCOUNT_ID or runtime discovery). Requiring account credentials and account IDs is proportionate for a trading automation skill, but the metadata omission is a significant inconsistency. The scripts also recommend disabling TLS verification (verify=False / curl -k) for connections to the gateway (self-signed cert) — acceptable technically but increases risk if networking is not trusted.
Persistence & Privilege
The skill does not request always:true or system-wide privilege. It includes a keepalive script intended to be run via cron (user-controlled) that will call local endpoints and, if needed, spawn the authenticate script. That behavior is consistent with session management for trading automation. There is no attempt to modify other skills or global agent configuration.
What to consider before installing
Key points to consider before installing: - Metadata mismatch: The registry claims no env/credentials required, but the code and instructions require your IBKR username/password, account ID, and local binaries (Java, Chrome, chromedriver, Xvfb). Treat this omission as a red flag and expect to manually provide sensitive credentials. - Secrets handling: The setup creates a plaintext .env file containing IBEAM_ACCOUNT and IBEAM_PASSWORD. If you proceed, store credentials securely (tighten file permissions), consider using a secrets manager, and avoid reusing credentials elsewhere. - Automated 2FA: The scripts automate login via IBeam and will prompt your phone for IBKR Key approval. The keepalive/re-auth automation can launch repeated auth attempts — ensure you want phone prompts produced automatically and monitor for unexpected activity. - TLS and network: The skill disables certificate verification (verify=False / curl -k) because the gateway uses a self-signed cert. This is common for localhost gateways but increases risk if your system or network is compromised. Prefer configuring a trusted cert if possible and avoid exposing the gateway to untrusted networks. - Verify sources: The download URL appears to be IBKR's official domain, and pip packages are used for ibeam — nevertheless verify the ibeam package source/version (pip info, project homepage) and validate the clientportal archive (checksum/signature) from IBKR if available. - Run in isolation: Run this in a dedicated, least-privileged user/account or VM/container to limit blast radius. Do not run as root. Review scripts (they are included) and test in paper account mode first. - If you need the skill: ask the publisher to correct the manifest to declare required env vars/primary credential and to document security implications. If you cannot verify or trust the skill owner, prefer implementing authentication and automation yourself or use an official IBKR integration.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ymwbxrp5wymswzh85b6pr97zwv66

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments