Integrate OpenClaw with Xerolite - IBKR. Use when: querying Xerolite API, placing orders, searching contracts.
Security Analysis
medium confidenceThe skill's code and instructions match its stated purpose (sending order and contract-search requests to a Xerolite API) and it does not request unrelated credentials or install arbitrary software, but there are a few small configuration/operational notes to review before use.
Name/description (bridge to Xerolite/IBKR for placing orders and searching contracts) align with the provided CLI and REST calls. The skill requires Node (declared) and the CLI issues POSTs to Xerolite endpoints; these are exactly what you'd expect for this purpose.
Runtime instructions and the script only construct and POST JSON to the Xerolite endpoints and print responses. The instructions do not read local files, other env vars, or system configuration. Note: the script respects an optional XEROLITE_API_URL environment variable (can direct requests to any host) — this allows targeting a remote service and should be set only to trusted hosts.
This is instruction-only with a small included Node CLI file (no install spec, no external downloads). Nothing is written to disk by an installer; risk from install process is low.
The skill does not require credentials and does not declare any required env vars. The SKILL.md mentions an optional XEROLITE_API_URL env var (defaults to http://localhost) but that optional env var is not declared in the manifest — a minor metadata inconsistency. No secrets or unrelated credentials are requested by the code.
The skill is not marked 'always' and uses the default autonomous-invocation capability. That is platform-normal, but because the skill can place orders, you should be aware that an agent invoking this skill autonomously could trigger real trading actions if the API endpoint accepts them. Consider requiring explicit confirmation before order placement or limiting autonomous access.
Guidance
This skill appears to do what it says: it posts order and contract-search JSON to a Xerolite API (defaulting to http://localhost). Before installing: - Confirm where XEROLITE_API_URL will point. If you set it to a remote host, that host will receive order payloads — only configure it to trusted infrastructure. - Understand the risk: the skill can place orders. If your agent is allowed to call skills autonomously, consider requiring manual confirmation or restricting agent permissions to avoid unintended trades. - Note the minor metadata mismatch: SKILL.md documents an optional XEROLITE_API_URL env var but the manifest did not list required/optional env vars. That discrepancy is low-risk but worth noticing. - The current version does not use authentication. Do not expose a Xerolite instance without network protections or API keys; prefer running Xerolite on a local or isolated network if you plan to allow automatic order placement. If you want higher assurance, request the publisher add explicit manifest entries for the optional env var, and add an authentication mechanism (API key) or a configuration option that requires explicit confirmation before placing live orders.
Latest Release
v0.1.1
- Improved description to clarify Xerolite is a TradingView-to-Interactive Brokers bridge and highlight its automation focus. - Added direct links and more context for Xerolite, Interactive Brokers, and TradingView. - Emphasized skill use cases (order placement, contract search) and integration with OpenClaw agents. - No changes to features, code, commands, or API usage. - Documentation is now clearer for new users and provides better onboarding context.
Popular Skills
Published by @xero-flex on ClawHub
