Taka
PassAudited by ClawScan on May 1, 2026.
Overview
Taka appears to be a coherent AI creative-content CLI, but users should notice that it installs an external npm package, stores Taka login tokens locally, and can create, edit, or delete Taka creative projects.
Before installing, verify that `taka-cli` on npm is the package you intend to trust. After login, treat the machine as having access to your Taka account because tokens are stored locally. Let the agent generate and edit creatives only when you are comfortable with the content, credits used, and any deletion or update actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the npm package gives that package code execution on the local machine under the user's account.
The skill depends on installing a global npm package whose implementation is not included in the provided artifacts. This is normal for a CLI integration, but the package provenance should be trusted before installation.
npm install -g taka-cli npm release: https://www.npmjs.com/package/taka-cli
Install only from the expected npm package page, verify the publisher/version, and avoid using npx or global install from untrusted package sources.
An agent using this skill could create, update, generate, or delete Taka creative assets if the user has authenticated the CLI.
The allowed tool scope covers all Taka CLI commands, including commands that can delete or modify creatives in the user's Taka account.
| **allowed-tools** | Bash(taka:*) | ... taka delete-creative --id <creative-id>
Review agent actions before destructive or credit-consuming commands, especially delete-creative, update-content, and generation commands.
Anyone or any process that can read the config file may be able to act as the logged-in Taka account until logout or token expiry.
The CLI stores persistent account tokens locally and refreshes them for continued API access. This is disclosed and fits the login workflow, but it is sensitive account authority.
Taka CLI uses JWT access/refresh tokens... Both are stored in `~/.config/taka/config.json` (mode 0o600, owner-only)
Use the intended Taka account, protect the local config file, and run `taka logout` when the account should no longer be available to agents on that machine.
Prompts, creative content, and login flows may be sent to the configured Taka API endpoint, including a custom endpoint if one is set.
The CLI sends requests to an external API endpoint, and the endpoint can be changed and saved with credentials. This is disclosed, but it affects where prompts, creative data, and authentication flows go.
By default, Taka CLI connects to `https://api.taka.ai/v1`. ... export TAKA_SERVER_URL=https://staging.api.taka.ai/v1 # Then login (URL is saved with credentials)
Use the default endpoint unless you intentionally trust a staging, development, or self-hosted endpoint, and avoid entering sensitive business content into prompts unless appropriate.