taco 安全扫描报告 — 可信 | ClawSafe

5 /100

taco

AI trading assistant for Taco crypto DEX — handles trading, market data, account queries, technical analysis, and AI trader management

Taco is a legitimate crypto DEX trading assistant with no malicious behavior observed. All network calls target a single documented API endpoint, credentials are stored locally in a config file only, and the codebase is transparent with no hidden functionality.

技能名称taco

分析耗时40.8s

引擎pi

✓

可以安装

This skill is safe to use. No security action required. The skill correctly declares its network capabilities through API interactions and stores credentials only in the documented config path.

安全发现 2 项

严重性	安全发现	位置
提示	No dependency manifest No package.json or requirements.txt exists. Dependencies (commander, node:fs, node:path, node:os, node:readline, native fetch) are assumed standard Node.js modules. This makes version pinning unverifiable. `var E=require('fs'),T=require('path'),wt=require('os'),At=require('readline')` → Add package.json to pin versions of any third-party dependencies.	`scripts/taco_client.js:1`
提示	Credentials stored in plaintext config file user_id and api_token are stored as plaintext JSON in ~/.openclaw/workspace/taco/config.json. This is standard for CLI tools but worth noting. `Config: ~/.openclaw/workspace/taco/config.json` → Consider using a secrets manager or encrypted storage for production deployments.	`SKILL.md:290`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md:Config:~/.openclaw/workspace/taco/config.json; taco_client.js reads con…
网络访问	`READ+WRITE`	`READ+WRITE`	✓ 一致	SKILL.md declares API calls; taco_client.js:fetch() calls api.dev.taco.trading f…
命令执行	`NONE`	`NONE`	—	No shell execution found; node process.argv parsing only
环境变量	`NONE`	`NONE`	—	No env iteration; only reads process.env for NO_COLOR/FORCE_COLOR/CLI_COLOR
剪贴板	`NONE`	`NONE`	—	Not accessed
浏览器	`NONE`	`NONE`	—	Not accessed
数据库	`NONE`	`NONE`	—	Not accessed
技能调用	`NONE`	`NONE`	—	Skill is a leaf — no nested skill invocations

3 项发现

🔗

中危外部 URL 外部 URL

https://api.dev.taco.trading

references/api-references.md:4

🔗

中危外部 URL 外部 URL

https://api.hyperliquid.xyz/info

references/market-data-fallback.md:5

📧

提示邮箱邮箱地址

[email protected]

references/api-references.md:495

目录结构

7 文件 · 125.1 KB · 2321 行

Markdown 6f · 2294L JavaScript 1f · 27L

├─ ▾ 📁 references

│ ├─ 📝 analysis-workflows.md Markdown 252L · 9.8 KB

│ ├─ 📝 api-references.md Markdown 734L · 18.1 KB

│ ├─ 📝 commands.md Markdown 426L · 11.5 KB

│ ├─ 📝 market-data-fallback.md Markdown 73L · 2.2 KB

│ └─ 📝 strategy-engine.md Markdown 453L · 15.0 KB

├─ ▾ 📁 scripts

│ └─ 📜 taco_client.js JavaScript 27L · 52.1 KB

└─ 📝 SKILL.md Markdown 356L · 16.3 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`commander (bundled)`	`bundled minified`	node_modules (assumed standard)	否	Commader CLI parsing library — bundled minified in source, not separately installed
`node:fs, node:path, node:os, node:readline`	`Node.js built-in`	Node.js standard library	否	Standard library modules, no external dependencies
`fetch (native)`	`Node.js 18+`	Node.js native fetch API	否	Native fetch, no external HTTP client dependency

安全亮点

✓ No base64, eval, or obfuscated code — all logic is readable

✓ Single hardcoded API endpoint (api.dev.taco.trading) — no dynamic DNS resolution or IP hopping

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No credential exfiltration — credentials only used in Authorization header to the documented API

✓ SKILL.md accurately documents all capabilities and CLI commands

✓ No hidden instructions in HTML comments or string literals

✓ Comprehensive input validation and pre-trade checks documented

✓ Graceful error handling with informative messages