ibkr-readonly

The skill manifest broadly matches a read-only IBKR data-analysis purpose but exhibits notable security and supply-chain risks: (1) downloading and executing a gateway binary from an external URL, (2) plaintext credential handling in environment files, (3) potential TLS/certificate handling gaps for localhost communications, and (4) extended session persistence via a local gateway. Mitigations include using signed, verifiable gateway artifacts from trusted sources, substituting secret management for credentials, enforcing strict TLS validation, limiting session lifetimes, and minimizing external data flow surfaces. Overall, the footprint is suspicious-to-moderately risky without mitigations, and should not be deployed in production without addressing supply-chain and credential security concerns.