by 安全扫描
OpenClaw
可疑
high confidenceThe skill is largely what it claims (IBKR Client Portal automation), but the published metadata omits the sensitive credentials and local system requirements the skill actually needs — that mismatch and the scripts' handling of secrets and automated re-auth are concerning and worth review before installing.
评估建议
Key points to consider before installing:
- Metadata mismatch: The registry claims no env/credentials required, but the code and instructions require your IBKR username/password, account ID, and local binaries (Java, Chrome, chromedriver, Xvfb). Treat this omission as a red flag and expect to manually provide sensitive credentials.
- Secrets handling: The setup creates a plaintext .env file containing IBEAM_ACCOUNT and IBEAM_PASSWORD. If you proceed, store credentials securely (tighten file pe...详细分析 ▾
⚠ 用途与能力
The skill's name/description match the included code and instructions (IBKR Client Portal + IBeam automation). However the registry metadata declares no required environment variables, no credentials, and no required binaries, while the SKILL.md and scripts clearly require Java, Chrome/Chromium + chromedriver, Xvfb, a Python venv, and explicit IBKR credentials (IBEAM_ACCOUNT, IBEAM_PASSWORD, IBKR/IBEAM-related envs). The manifest omission is an incoherence: a trading automation skill legitimately needs those local binaries and credentials, so they should be declared.
⚠ 指令范围
The runtime instructions and scripts direct the agent/user to download and run the IBKR Client Portal Gateway, run ibeam to perform automated login, create a plaintext ~/.env containing IBEAM_ACCOUNT and IBEAM_PASSWORD, start Xvfb, and schedule a cron keepalive that may trigger re-auth. All actions are within the stated purpose, but the instructions ask the user to store credentials in plaintext and repeatedly automate 2FA approval flows; the SKILL.md does not explicitly call out the sensitive nature of these steps. The keepalive script will automatically call authenticate.sh if the session expires, which may repeatedly launch auth flows (requiring phone approval).
✓ 安装机制
There is no packaged install spec, but the setup.sh downloads the Client Portal Gateway from download2.interactivebrokers.com (an official-looking IBKR domain) and installs Python packages via pip (ibeam, requests, urllib3). No obfuscated download URLs, no pastebin/shorteners, and ZIP extraction is from an official host — this is expected for this use case. Still: users should verify the official download URL and, if possible, checksum/signature of the archive.
⚠ 凭证需求
The published skill declares no required env vars or primary credential, but the instructions and scripts require multiple sensitive environment variables (IBEAM_ACCOUNT, IBEAM_PASSWORD, IBEAM_GATEWAY_DIR, IBEAM_CHROME_DRIVER_PATH, IBEAM_TWO_FA_SELECT_TARGET, IBKR account id via IBKR_ACCOUNT_ID or runtime discovery). Requiring account credentials and account IDs is proportionate for a trading automation skill, but the metadata omission is a significant inconsistency. The scripts also recommend disabling TLS verification (verify=False / curl -k) for connections to the gateway (self-signed cert) — acceptable technically but increases risk if networking is not trusted.
✓ 持久化与权限
The skill does not request always:true or system-wide privilege. It includes a keepalive script intended to be run via cron (user-controlled) that will call local endpoints and, if needed, spawn the authenticate script. That behavior is consistent with session management for trading automation. There is no attempt to modify other skills or global agent configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/1/25
Initial release: Automate Interactive Brokers (IBKR) trading and authentication via the Client Portal API. - Supports IBeam automated login using IBKR Key mobile 2FA. - Enables monitoring of portfolio, positions, and account summaries. - Allows order placement and position management through API endpoints. - Provides setup instructions for Linux environments, including dependency installation and session keepalive. - Includes troubleshooting tips and reference to extended documentation.
● 可疑
安装命令
点击复制官方npx clawhub@latest install ibkr-trader
镜像加速npx clawhub@latest install ibkr-trader --registry https://cn.longxiaskill.com