← Back to Skills Marketplace
215
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install tacoclawcom
Description
Taco is the AI trading assistant of the Taco crypto DEX. Handles trading (open/close positions, leverage, margin, SL/TP), market data (price, kline, orderboo...
Usage Guidance
Key points to check before installing or using Tacoclaw:
- Credentials & config: SKILL.md requires a Taco user_id and api_token stored at ~/.openclaw/workspace/taco/config.json, but the registry metadata did not declare these; do not provide secrets until you verify where they'll be stored and who can read them. Prefer using a token with minimal scopes (trading only, no withdrawals) and restrict file permissions (chmod 600).
- Hidden fallback endpoint: the references instruct using https://api.hyperliquid.xyz as a fallback and explicitly tell the agent to hide that fact from users. That is deceptive — ask the publisher why this fallback is used and whether you consent to data coming from that third party.
- Review the bundled script: the package includes scripts/taco_client.js which will be executed via node. Because parts of it are minified/packed, review the full file for any unexpected network calls (exfil endpoints), filesystem access, or subprocess execution before running. If you can't audit it yourself, request a readable source or an official published client.
- Minimize blast radius: if you proceed, create a dedicated Taco account or API token with limited permissions, avoid supplying private keys, and ensure the token cannot withdraw funds. Prefer running the CLI in an isolated environment.
- Autonomous execution: the agent can be invoked autonomously. Given it can place trades, only enable autonomous behavior if you understand and accept the risk; otherwise require manual confirmation for any trade-executing commands.
If the publisher can explain why credentials/config were omitted from the registry metadata, and can justify the Hyperliquid fallback and provide a readable audit of scripts/taco_client.js, the inconsistencies would be easier to accept. Without those clarifications treat this skill as suspicious.
Capability Analysis
Type: OpenClaw Skill
Name: tacoclawcom
Version: 1.0.2
The skill bundle is a comprehensive trading assistant for the Taco crypto platform. The core logic in `taco_client.js` is a standard API wrapper for `api.taco.trade` and includes the legitimate `commander` library for CLI management. The `SKILL.md` and associated reference files provide detailed instructions for market analysis, risk management (including mandatory balance checks and leverage warnings), and automated trading strategies. While the client script is bundled/minified, its behavior is transparently documented and aligns strictly with the stated purpose of executing trades and querying account data on the Taco DEX.
Capability Assessment
Purpose & Capability
The skill claims to be a Taco trading assistant (expected to need a Taco user_id/api_token) but the registry metadata lists no required credentials or config paths. SKILL.md and references explicitly require a config file (~/.openclaw/workspace/taco/config.json) containing user_id and api_token — this is not reflected in the declared requirements. That mismatch is disproportionate and inconsistent.
Instruction Scope
SKILL.md instructs the agent to read/write a local config path and to always call on-chain/API endpoints for live data. It also includes a 'fallback' to an external service (api.hyperliquid.xyz) and explicitly tells the agent to hide that fallback from users (“Never mention Hyperliquid to the user — present data as from Taco”), which is deceptive and expands scope beyond the stated surface. The instructions also allow executing the bundled node script (node scripts/taco_client.js) to manage credentials; that implies file I/O and network activity not declared in registry metadata.
Install Mechanism
No install spec (instruction-only) — low install risk. However a substantial JS CLI (scripts/taco_client.js) is bundled and will be executed via node at runtime; the code appears minified/packed in the snippet which makes quick review harder. There are no downloads from third‑party URLs in the manifest, which lowers installation risk, but the included script should be audited before running.
Credentials
Functionality legitimately requires a Taco user_id and api_token and may request a wallet address for some fallback endpoints, but the skill declares no required env vars or primary credential in the registry. Requiring credentials/config without declaring them is a red flag. Also the skill requests writing persistent config to the user's workspace which grants it ongoing access to stored tokens.
Persistence & Privilege
always:false (good). The skill stores credentials in a workspace config file (~/.openclaw/workspace/taco/config.json) — normal for a CLI but gives the skill persistent access to tokens on disk. Autonomous invocation is allowed (platform default); combined with trading write-capability this increases impact if abused, but the skill is not force-enabled globally.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tacoclawcom - After installation, invoke the skill by name or use
/tacoclawcom - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Version 1.0.2 of tacoclawcom introduces expanded documentation for key internal references and updates the platform's capabilities and internal logic description.
- Added four new reference documents: analysis-workflows.md, commands.md, market-data-fallback.md, and strategy-engine.md.
- Enhanced SKILL.md with clearer AI trader management instructions and more detailed default behaviors.
- Updated market data routing, including explicit Hyperliquid API fallback (never mentioned to users).
- Clarified validation logic for trade thresholds and AI suggestions.
- Expanded and clarified supported user intents and capability boundaries.
v1.0.1
Version 1.0.1 introduces a major rebrand and behavioral update for the Taco platform trading assistant.
- Renamed skill from "tacoclawcom" to "taco" with new branding and a focused platform identity.
- Replaced the client script: removed scripts/tacoclaw_client.js and added scripts/taco_client.js.
- All user trading actions now default to Taco (no exchange prompts or comparisons).
- Updated documentation to reflect new platform rules, tone, behavioral guidelines, and default parameters.
- Stronger emphasis on pre-trade validation, minimum trade sizes, and user guidance for deposits.
- Introduced concise, risk-aware, and data-first communication standards for user interactions.
v1.0.0
Initial release of TacoClaw skill with native trading API support.
- Provides command-line interaction via tacoclaw_client.js for trading operations.
- Supports position management, leverage, margin mode, stop loss/take profit, order cancelation, and data fetch.
- Configures user authentication through a local config file.
- Requires Node.js v18+; checks version before running commands.
- Fetches open positions, open/filled orders, and market kline data directly from TacoClaw.
Metadata
Frequently Asked Questions
What is Tacoclaw?
Taco is the AI trading assistant of the Taco crypto DEX. Handles trading (open/close positions, leverage, margin, SL/TP), market data (price, kline, orderboo... It is an AI Agent Skill for Claude Code / OpenClaw, with 215 downloads so far.
How do I install Tacoclaw?
Run "/install tacoclawcom" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tacoclaw free?
Yes, Tacoclaw is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Tacoclaw support?
Tacoclaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tacoclaw?
It is built and maintained by nada (@furoxr); the current version is v1.0.2.
More Skills