# Add to your Claude Code skills
git clone https://github.com/code-rabi/interactive-brokers-mcpGuides for using mcp servers skills like interactive-brokers-mcp.
Last scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@modelcontextprotocol/sdk: Anthropic's MCP TypeScript SDK has a ReDoS vulnerability",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "axios: Axios is vulnerable to DoS attack through lack of data size check",
"severity": "high"
},
{
"type": "npm-audit",
"message": "body-parser: body-parser is vulnerable to denial of service when url encoding is used",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "diff: jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"severity": "low"
},
{
"type": "npm-audit",
"message": "express: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "glob: glob CLI: Command injection via -c/--cmd executes matches with shell:true",
"severity": "high"
},
{
"type": "npm-audit",
"message": "handlebars: Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "js-yaml: js-yaml has prototype pollution in merge (<<)",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "libnpmdiff: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash-es: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "npm: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "pacote: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "qs: qs's arrayLimit bypass in comma parsing allows denial of service",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "rollup: Rollup 4 has Arbitrary File Write via Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "socks: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "vite: vite allows server.fs.deny bypass via backslash on Windows",
"severity": "high"
}
],
"status": "FAILED",
"scannedAt": "2026-05-30T16:10:48.629Z",
"npmAuditRan": true,
"pipAuditRan": true
}interactive-brokers-mcp is an open-source mcp servers skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by code-rabi. Interactive Brokers MCP Server. It has 198 GitHub stars.
interactive-brokers-mcp failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/code-rabi/interactive-brokers-mcp" and add it to your Claude Code skills directory (see the Installation section above).
interactive-brokers-mcp is primarily written in JavaScript. It is open-source under code-rabi on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other MCP Servers skills you can browse and compare side by side. Open the MCP Servers category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh interactive-brokers-mcp against similar tools.
No comments yet. Be the first to share your thoughts!
Top skills in this category by stars
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
DISCLAIMER: This is an unofficial, community-developed MCP server and is NOT affiliated with or endorsed by Interactive Brokers. This software is in Alpha state and may not work perfectly.
A Model Context Protocol (MCP) server that provides integration with Interactive Brokers' trading platform. This server allows AI assistants to interact with your IB account to retrieve market data, check positions, and place trades.

npx - no Docker or additional installations required. Includes pre-configured IB Gateway and Java runtime for all platformsIMPORTANT WARNINGS:
No additional installations required for mainstream platforms. This package includes:
node:lts-alpine, supergateway)You only need:
Add this MCP server to your Cursor/Claude configuration:
{
"mcpServers": {
"interactive-brokers": {
"command": "npx",
"args": ["-y", "interactive-brokers-mcp"]
}
}
}
When you first use the server, a web browser window will automatically open for the Interactive Brokers OAuth authentication flow. Log in with your IB credentials to authorize the connection.
For automated environments or when you prefer not to use a browser for authentication, you can enable headless mode by configuring it in your MCP server configuration:
{
"mcpServers": {
"interactive-brokers": {
"command": "npx",
"args": ["-y", "interactive-brokers-mcp"],
"env": {
"IB_HEADLESS_MODE": "true",
"IB_USERNAME": "your_ib_username",
"IB_PASSWORD_AUTH": "your_ib_password"
}
}
}
}
In headless mode, the server will automatically authenticate using your credentials without opening a browser window. This is useful for:
Important: Even in headless mode, Interactive Brokers may still require
two-factor authentication (2FA). When 2FA is triggered, the headless
authentication will wait up to 60 seconds for you to complete the 2FA process
through your configured method (mobile app, SMS, etc.) before returning an
AUTHENTICATION_PENDING response. Wait for approval to complete, then check
account info again.
To enable paper trading, add "IB_PAPER_TRADING": "true" to your environment variables:
{
"mcpServers": {
"interactive-brokers": {
"command": "npx",
"args": ["-y", "interactive-brokers-mcp"],
"env": {
"IB_HEADLESS_MODE": "true",
"IB_USERNAME": "your_ib_username",
"IB_PASSWORD_AUTH": "your_ib_password",
"IB_PAPER_TRADING": "true"
}
}
}
}
Security Note: Store credentials securely and never commit them to version control. Consider using environment variable files or secure credential management systems.
To use Flex Queries for retrieving account statements and historical data, you need to configure your Flex Web Service Token:
{
"mcpServers": {
"interactive-brokers": {
"command": "npx",
"args": ["-y", "interactive-brokers-mcp"],
"env": {
"IB_FLEX_TOKEN": "your_flex_token_here"
}
}
}
}
For detailed instructions on enabling Flex Web Service, see the IB Flex Web Service Guide.
For a complete guide on creating and customizing Flex Queries, see the IB Flex Queries Guide.
Note: When you execute a Flex Query for the first time, the MCP server automatically saves it with its name from the API. Future executions can reference the query by either its ID or its saved name.
forget_flex_query tool| Feature | Environment Variable | Command Line Argument |
|---|---|---|
| Username | IB_USERNAME |
--ib-username |
| Password | IB_PASSWORD_AUTH |
--ib-password-auth |
| Headless Mode | IB_HEADLESS_MODE |
--ib-headless-mode |
| Paper Trading | IB_PAPER_TRADING |
--ib-paper-trading |
| Auth Timeout | IB_AUTH_TIMEOUT |
--ib-auth-timeout |
| Auth Wait Seconds | IB_AUTH_WAIT_SECONDS |
--ib-auth-wait-seconds |
| Auth Poll Seconds | IB_AUTH_POLL_SECONDS |
--ib-auth-poll-seconds |
| Force standalone bundled gateway | IB_FORCE_STANDALONE_GATEWAY |
N/A |
| Flex Token | IB_FLEX_TOKEN |
N/A |
| Read-only mode | IB_READ_ONLY_MODE |
--ib-read-only-mode |
| 2FA Strategy | IB_TWO_FA_STRATEGY |
N/A |
| TOTP Secret Key | IB_TOTP_SECRET |
N/A |
| Login page selector overrides | IB_SELECTOR_USERNAME, IB_SELECTOR_PASSWORD, IB_SELECTOR_LOGIN_SUBMIT |
N/A |
| TOTP form selector overrides | IB_SELECTOR_TOTP_INPUT, IB_SELECTOR_TOTP_SUBMIT |
N/A |
See the TOTP 2FA Strategy Document for details on the 2FA and selector-override variables.
On startup, the MCP first probes reachable local Gateway endpoints on the configured port and common Client Portal Gateway ports. If a healthy existing Gateway is found, the MCP attaches to it and does not start another bundled Gateway.
When no suitable existing Gateway is reachable, the MCP starts the bundled Java Gateway as a durable detached process. Runtime coordination files are stored under ib-gateway/.runtime/:
gateway-session.json records the MCP-managed Gateway pid, port, version, and log paths.gateway-session.lock prevents two MCP processes from starting duplicate managed Gateways at the same time.gateway.stdout.log and gateway.stderr.log receive the Gateway process output.Normal MCP shutdown detaches from the Gateway and leaves it running so later MCP runs can reuse it. If IB_FORCE_STANDALONE_GATEWAY=true is set, the MCP skips unrelated external Gateway discovery, but it still reuses or coordinates through the durable MCP-managed session metadata and lock files.
To reset the managed Gateway session, stop the Gateway process recorded in ib-gateway/.runtime/gateway-session.json, then remove ib-gateway/.runtime/gateway-session.json and any stale ib-gateway/.runtime/gateway-session.lock. The MCP automatically removes stale metadata when the recorded pid no longer exists.
| Tool | Description |
|---|---|
get_account_info |
Retrieve account information and balances |
get_positions |
Get current positions and P&L |
get_market_data |
Real-time market data for symbols |
place_order |
Place market, limit, or stop orders (only if read-only mode is disabled) |
get_order_status |
Check order execution status |
get_live_orders |
Get all live/open orders for monitoring |
| Tool | Description