ibkr-trading
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill requires the user to store their Interactive Brokers account username and password (
IBEAM_ACCOUNT,IBEAM_PASSWORD) in a plaintext.envfile as shown in theSKILL.mdsetup instructions and thescripts/setup.shtemplate. - [COMMAND_EXECUTION]: The skill utilizes several scripts that execute system-level commands.
scripts/setup.shperforms installations usingapt-getand manages files withwgetandunzip.scripts/keepalive.pyusessubprocess.Popento execute a local shell script (authenticate.sh) for session management based on authentication status checks. - [EXTERNAL_DOWNLOADS]: The
scripts/setup.shscript downloads the IBKR Client Portal Gateway binary from the official Interactive Brokers domain (download2.interactivebrokers.com). This is documented as a legitimate dependency for the skill's primary function. - [DATA_EXFILTRATION]: Multiple components, including
scripts/trading_bot.pyandscripts/keepalive.py, disable SSL/TLS certificate verification (verify=False) and suppress related security warnings. Although intended to facilitate connection to the local gateway's self-signed certificate, this practice increases vulnerability to man-in-the-middle attacks if the execution environment's network is compromised.
Recommendations
- HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
Audit Metadata