← Back to Skills Marketplace
447
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install taapi
Description
Use this skill to fetch TAAPI.IO indicator data for crypto or stocks, including fast single-indicator requests and bulk/multi-construct queries for agentic t...
Usage Guidance
This package appears to do exactly what it claims: build and send TAAPI.IO API requests using curl. Before using it, do the following: 1) Use a revocable TAAPI secret and set it in the session (export TAAPI_SECRET) rather than baking it into files. 2) Avoid passing the secret via --secret in long-running orchestration (it appears in process args). 3) Do not override TAAPI_BASE_URL unless you deliberately want to send your secret to another host — the script refuses unofficial hosts unless explicitly opted-in. 4) Review examples/payload files so you don't accidentally commit real secrets into source. 5) Run tests/test-cli.sh for a dry run; avoid running tests/smoke-live.sh except in an isolated environment with a revocable key. Overall, the skill is coherent and low-risk if used with these precautions.
Capability Analysis
Type: OpenClaw Skill
Name: taapi
Version: 1.0.1
The skill is suspicious due to a critical vulnerability that could lead to credential exfiltration via prompt injection. The `scripts/taapi-agent.sh` allows overriding the API endpoint via `TAAPI_BASE_URL` and sends the `TAAPI_SECRET` to this potentially arbitrary URL. While the script includes a guardrail (`TAAPI_ALLOW_UNOFFICIAL_BASE_URL`) requiring explicit opt-in for unofficial URLs, an advanced prompt injection attack could instruct the agent to set both `TAAPI_BASE_URL` to a malicious domain and `TAAPI_ALLOW_UNOFFICIAL_BASE_URL=1`, thereby exfiltrating the `TAAPI_SECRET` and other request data. This is a high-risk capability, even with the documented warnings and guardrails, as it enables a direct path for secret exfiltration if the agent is compromised.
Capability Assessment
Purpose & Capability
Name/description, required binary (curl), required env var (TAAPI_SECRET), examples, tests, and the included CLI script all align with fetching indicators from TAAPI.IO. The provided scripts implement direct, bulk, and multi constructs as advertised.
Instruction Scope
SKILL.md and scripts restrict actions to building requests, reading payload files you supply, and posting to the TAAPI API (or an explicitly allowed alternate base URL). Live smoke tests explicitly require TAAPI_SECRET and network access and are documented as such. There are no instructions to read unrelated system files or exfiltrate data to unknown endpoints.
Install Mechanism
This is an instruction-only skill with local shell scripts included; there is no installation step that downloads or executes remote code. It depends on standard system tools (curl, optionally jq). No risky remote install URLs or archive extraction observed.
Credentials
The only required credential is TAAPI_SECRET (declared as the primaryEnv). The scripts also read several optional environment variables (TAAPI_BASE_URL, TAAPI_ALLOW_UNOFFICIAL_BASE_URL, TAAPI_RETRIES, TAAPI_TIMEOUT) that are reasonable configuration knobs but are not listed in the declared required env list — this is not a security hole but you should be aware the script will honor those env vars if present. The skill documents the risk of overriding TAAPI_BASE_URL (which would send your secret to a different host) and warns to use a revocable secret for live smoke tests.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide agent settings. It runs only when invoked and does not persist credentials beyond the current shell (the README recommends session-scoped environment variables).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install taapi - After installation, invoke the skill by name or use
/taapi - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Added metadata block in SKILL.md with homepage and runtime requirements for better documentation and agent compatibility.
- Added agents/openai.yaml for agent configuration support.
- Expanded SKILL.md with a new "Security And Runtime Requirements" section outlining secret management, `curl` and `jq` dependencies, and endpoint security.
- Clarified usage and tooling requirements for safer and more robust agentic trading workflows.
v1.0.0
- Initial release of the taapi skill for fetching TAAPI.IO indicator data for crypto and stocks.
- Supports fast single-indicator requests (direct), bulk requests, and multi-construct queries via a CLI helper.
- Workflow guidance included for choosing between direct, bulk, and multi based on the use case.
- CLI tasks provided for direct GET, bulk POST, and multi-construct payload generation.
- Includes example payloads and scripts for testing and automation use.
- Documentation covers API usage, parameter requirements, rate limits, and agentic integration best practices.
Metadata
Frequently Asked Questions
What is TAAPI CLI?
Use this skill to fetch TAAPI.IO indicator data for crypto or stocks, including fast single-indicator requests and bulk/multi-construct queries for agentic t... It is an AI Agent Skill for Claude Code / OpenClaw, with 447 downloads so far.
How do I install TAAPI CLI?
Run "/install taapi" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is TAAPI CLI free?
Yes, TAAPI CLI is completely free (open-source). You can download, install and use it at no cost.
Which platforms does TAAPI CLI support?
TAAPI CLI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created TAAPI CLI?
It is built and maintained by oscraters (@oscraters); the current version is v1.0.1.
More Skills