ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TAAPI CLI

v1.0.1

Use this skill to fetch TAAPI.IO indicator data for crypto or stocks, including fast single-indicator requests and bulk/multi-construct queries for agentic t...

0· 389·0 current·0 all-time
by@oscraters
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (curl), required env var (TAAPI_SECRET), examples, tests, and the included CLI script all align with fetching indicators from TAAPI.IO. The provided scripts implement direct, bulk, and multi constructs as advertised.
Instruction Scope
SKILL.md and scripts restrict actions to building requests, reading payload files you supply, and posting to the TAAPI API (or an explicitly allowed alternate base URL). Live smoke tests explicitly require TAAPI_SECRET and network access and are documented as such. There are no instructions to read unrelated system files or exfiltrate data to unknown endpoints.
Install Mechanism
This is an instruction-only skill with local shell scripts included; there is no installation step that downloads or executes remote code. It depends on standard system tools (curl, optionally jq). No risky remote install URLs or archive extraction observed.
Credentials
The only required credential is TAAPI_SECRET (declared as the primaryEnv). The scripts also read several optional environment variables (TAAPI_BASE_URL, TAAPI_ALLOW_UNOFFICIAL_BASE_URL, TAAPI_RETRIES, TAAPI_TIMEOUT) that are reasonable configuration knobs but are not listed in the declared required env list — this is not a security hole but you should be aware the script will honor those env vars if present. The skill documents the risk of overriding TAAPI_BASE_URL (which would send your secret to a different host) and warns to use a revocable secret for live smoke tests.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide agent settings. It runs only when invoked and does not persist credentials beyond the current shell (the README recommends session-scoped environment variables).
Assessment
This package appears to do exactly what it claims: build and send TAAPI.IO API requests using curl. Before using it, do the following: 1) Use a revocable TAAPI secret and set it in the session (export TAAPI_SECRET) rather than baking it into files. 2) Avoid passing the secret via --secret in long-running orchestration (it appears in process args). 3) Do not override TAAPI_BASE_URL unless you deliberately want to send your secret to another host — the script refuses unofficial hosts unless explicitly opted-in. 4) Review examples/payload files so you don't accidentally commit real secrets into source. 5) Run tests/test-cli.sh for a dry run; avoid running tests/smoke-live.sh except in an isolated environment with a revocable key. Overall, the skill is coherent and low-risk if used with these precautions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97agc3va9j5m0s5rtwa6awcqd822xsj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
EnvTAAPI_SECRET
Primary envTAAPI_SECRET

Comments