Back to skill

Security audit

IBKR Investing with Permission Gate

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed IBKR trading helper that can place stock or ETF orders only after an explicit confirmation, but it handles real brokerage access and sensitive local financial records.

Install only if you intend to let an agent read IBKR account data and prepare trades. Keep paper mode on until tested, use a tight symbol allow-list and low per-trade and daily caps, protect IBKR Gateway credentials and ~/.aeon/ibkr, and reply YES only after reviewing the full proposal.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document first correctly requires using the exact absolute pending-file path printed by the propose step, then later tells the agent to read a guessed default path under `~/.aeon/ibkr/pending/<id>.json`. That inconsistency can cause the agent to read the wrong file, miss the real token, or act on attacker-controlled/stale data if another file exists at the guessed location.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script emits explicit trading suggestions ('consider buy' / 'consider sell') rather than limiting itself to factual market data or neutral indicators. In an investing skill, this is security-relevant because an autonomous or semi-autonomous agent could present these heuristic outputs as actionable advice, increasing the chance of unsafe financial decisions without suitability checks, broader context, or stronger human review.

Missing User Warnings

Low
Confidence
89% confidence
Finding
This module persistently writes trading lifecycle events and arbitrary provided fields to a user-local JSONL audit log with no minimization, redaction, retention control, or file-permission hardening. In a brokerage skill, those fields can easily include sensitive financial metadata such as symbols, quantities, order details, account context, or strategy activity, creating privacy and security risk if the host is multi-user, backed up, synced, or otherwise accessible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.