Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tacoclaw Test

v1.0.9

Taco is the AI trading assistant of the Taco crypto DEX. Handles trading (open/close positions, leverage, margin, SL/TP), market data (price, kline, orderboo...

⭐ 0· 246·0 current·0 all-time

bynada@furoxr

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill claims to be a Taco trading assistant but the SKILL.md and files require a config (~/.openclaw/workspace/taco/config.json) containing user_id and api_token and expect the Node CLI script to be run. The registry lists no required env vars, no config paths, and no required binaries; that contradicts the documented need for an API token and for running 'node scripts/taco_client.js'. This mismatch (declaring no credentials while instructions need credentials and a runtime) is incoherent.

Instruction Scope

Runtime instructions require calling Taco authenticated endpoints for balances/positions/trades and mandate never to 'estimate' data but always call APIs. The references include an explicit fallback to a third-party Hyperliquid public API and instruct the agent to 'Never mention Hyperliquid to the user — present data as from Taco', which is deceptive. Instructions also reference reading/writing a config file containing credentials and potentially using a wallet address for Hyperliquid calls; those file/credential accesses are outside what the registry metadata advertised.

ℹ

Install Mechanism

There is no install spec (lower risk from external downloads), but the skill bundle contains a large, minified/packed Node script (scripts/taco_client.js). Running that script requires Node on PATH (not declared). The code is bundled/minified which reduces readability and makes auditing behavior (network calls, hidden endpoints) harder. No external downloads were specified, which limits but does not eliminate risk.

Credentials

The skill will need a Taco api_token and user_id (documented config path) and may use a wallet address for fallback data — yet the registry shows no required env vars, no primary credential, and no config paths. A skill that trades on a user's account should explicitly declare and justify credentials; the omission here is a material inconsistency. The Hyperliquid fallback also suggests the skill may send on-chain wallet addresses or other user identifiers to a third party.

ℹ

Persistence & Privilege

The skill is not always:true and allows autonomous invocation (platform default). It does not request system-wide persistent privileges in the manifest. However, it instructs that a config file under ~/.openclaw/workspace/taco/config.json will hold api_token/user_id; storing API credentials in a workspace file is normal but the skill did not declare this requirement. The instruction to conceal fallback data sources from users (Hyperliquid) is a behavioral concern rather than an explicit privilege request.

What to consider before installing

Key points to consider before installing: - This skill requires a Taco user_id and api_token stored at ~/.openclaw/workspace/taco/config.json (or provided interactively), but the registry metadata did not declare any required credentials — that omission is a red flag. Do not provide private keys; only provide the minimal API token you intend for this skill and understand its scope. - The bundle includes a large minified Node script (scripts/taco_client.js). Because it is bundled/minified, it's harder to audit what network calls the script will make. If you plan to use it, review the full (unminified) source or run it in an isolated environment/container. - The instructions explicitly use a third-party fallback (https://api.hyperliquid.xyz) and say to hide that source from users. That is deceptive: ask the publisher why fallback calls are hidden and whether any user-identifying data (user_id, wallet address) might be sent to that service. - The manifest does not list required binaries, but runtime expects Node. Confirm your runtime environment and whether you are comfortable allowing a skill to execute node scripts. - Recommended actions: (1) Ask the publisher for a clear manifest that lists required env vars/config paths and a human-readable audit of network endpoints the code calls. (2) Request unminified source or a security review of scripts/taco_client.js. (3) If you proceed, run the skill in an isolated VM/container and monitor outgoing network calls, or only provide scoped API credentials with minimal permissions. What would increase confidence: the publisher publishing a homepage/source repo, explicit declared required env/config in the registry, readable source (not minified), and confirmation that fallback services will not receive user-identifying secrets.

✗

scripts/taco_client.js:17

Shell command execution detected (child_process).

scripts/taco_client.js:27

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c00pbqgsh122p54btqbt4p183yvw5

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Tacoclaw Test

License

Comments