TAAPI CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned for TAAPI.IO indicator lookups, but its helper script can expose your TAAPI secret in error output and process arguments.
Review this before installing if you will use a real TAAPI secret. The functionality matches the description, but treat command failures and logs as potentially secret-bearing, avoid unofficial base URLs, and consider rotating the TAAPI secret after any failed run whose output was captured or shared.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a TAAPI request fails, your API secret could be exposed in logs or chat output, allowing others with access to those logs to use your TAAPI account quota.
The direct request URL includes the TAAPI secret, and error paths print the full URL, which can leak the credential into terminal output, agent logs, or captured error messages.
q="secret=$(urlencode "$SECRET")" ... die "http status $status from $url" ... die "curl failed for $url"
Use only revocable, low-privilege TAAPI secrets; avoid sharing failed command output; rotate the secret if it appears in logs. The maintainer should redact the secret from URLs before printing errors and avoid placing secret-bearing payloads on curl command lines where possible.
If you or an agent approve an unofficial base URL, your TAAPI secret and request payloads could be sent to that host.
The CLI has an escape hatch to send requests to a non-default endpoint. It is disclosed and guarded by an explicit opt-in flag, but it can send secrets and payloads away from the official TAAPI.IO API if used.
--base-url URL Override API base URL ... --allow-unofficial-base-url ... warn "using unofficial TAAPI base URL $BASE_URL; TAAPI secrets and payloads will be sent to that endpoint"
Use the default https://api.taapi.io endpoint unless you intentionally trust the alternate endpoint, and require explicit user review before allowing base URL overrides.