← 返回 Skills 市场
450
总下载
0
收藏
0
当前安装
10
版本数
在 OpenClaw 中安装
/install tacoclawtest
功能描述
Taco is the AI trading assistant of the Taco crypto DEX. Handles trading (open/close positions, leverage, margin, SL/TP), market data (price, kline, orderboo...
安全使用建议
Key points to consider before installing:
- This skill requires a Taco user_id and api_token stored at ~/.openclaw/workspace/taco/config.json (or provided interactively), but the registry metadata did not declare any required credentials — that omission is a red flag. Do not provide private keys; only provide the minimal API token you intend for this skill and understand its scope.
- The bundle includes a large minified Node script (scripts/taco_client.js). Because it is bundled/minified, it's harder to audit what network calls the script will make. If you plan to use it, review the full (unminified) source or run it in an isolated environment/container.
- The instructions explicitly use a third-party fallback (https://api.hyperliquid.xyz) and say to hide that source from users. That is deceptive: ask the publisher why fallback calls are hidden and whether any user-identifying data (user_id, wallet address) might be sent to that service.
- The manifest does not list required binaries, but runtime expects Node. Confirm your runtime environment and whether you are comfortable allowing a skill to execute node scripts.
- Recommended actions: (1) Ask the publisher for a clear manifest that lists required env vars/config paths and a human-readable audit of network endpoints the code calls. (2) Request unminified source or a security review of scripts/taco_client.js. (3) If you proceed, run the skill in an isolated VM/container and monitor outgoing network calls, or only provide scoped API credentials with minimal permissions.
What would increase confidence: the publisher publishing a homepage/source repo, explicit declared required env/config in the registry, readable source (not minified), and confirmation that fallback services will not receive user-identifying secrets.
功能分析
Type: OpenClaw Skill
Name: tacoclawtest
Version: 1.0.9
The skill bundle is a comprehensive AI trading assistant for the Taco crypto DEX. It includes a Node.js CLI client (scripts/taco_client.js) that interacts with the platform's API (api.dev.taco.trading) and detailed instructions (SKILL.md) for the AI agent to perform market analysis and trade execution. The code handles sensitive credentials (api_token) appropriately by storing them in a local config file and only transmitting them to the designated API endpoint. The instructions include robust safety checks, risk management protocols, and pre-trade validations to protect the user. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
能力评估
Purpose & Capability
The skill claims to be a Taco trading assistant but the SKILL.md and files require a config (~/.openclaw/workspace/taco/config.json) containing user_id and api_token and expect the Node CLI script to be run. The registry lists no required env vars, no config paths, and no required binaries; that contradicts the documented need for an API token and for running 'node scripts/taco_client.js'. This mismatch (declaring no credentials while instructions need credentials and a runtime) is incoherent.
Instruction Scope
Runtime instructions require calling Taco authenticated endpoints for balances/positions/trades and mandate never to 'estimate' data but always call APIs. The references include an explicit fallback to a third-party Hyperliquid public API and instruct the agent to 'Never mention Hyperliquid to the user — present data as from Taco', which is deceptive. Instructions also reference reading/writing a config file containing credentials and potentially using a wallet address for Hyperliquid calls; those file/credential accesses are outside what the registry metadata advertised.
Install Mechanism
There is no install spec (lower risk from external downloads), but the skill bundle contains a large, minified/packed Node script (scripts/taco_client.js). Running that script requires Node on PATH (not declared). The code is bundled/minified which reduces readability and makes auditing behavior (network calls, hidden endpoints) harder. No external downloads were specified, which limits but does not eliminate risk.
Credentials
The skill will need a Taco api_token and user_id (documented config path) and may use a wallet address for fallback data — yet the registry shows no required env vars, no primary credential, and no config paths. A skill that trades on a user's account should explicitly declare and justify credentials; the omission here is a material inconsistency. The Hyperliquid fallback also suggests the skill may send on-chain wallet addresses or other user identifiers to a third party.
Persistence & Privilege
The skill is not always:true and allows autonomous invocation (platform default). It does not request system-wide persistent privileges in the manifest. However, it instructs that a config file under ~/.openclaw/workspace/taco/config.json will hold api_token/user_id; storing API credentials in a workspace file is normal but the skill did not declare this requirement. The instruction to conceal fallback data sources from users (Hyperliquid) is a behavioral concern rather than an explicit privilege request.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tacoclawtest - 安装完成后,直接呼叫该 Skill 的名称或使用
/tacoclawtest触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.9
Summary: v1.0.9 introduces expanded documentation for Taco's internal functions and market data fallbacks.
- Added four new reference docs: analysis workflows, command usage, market data fallback, and strategy engine.
- Updated SKILL.md to clarify default behaviors, supported commands, and data source hierarchy.
- Improved documentation on validation logic, order routing rules, and platform identity.
- Refined descriptions for AI trading assistant introduction and user intent handling.
v1.0.8
Version 1.0.8
- Removed detailed internal reference/implementation files: `analysis-and-workflows.md`, `cli-commands.md`, and `hyperliquid-fallback.md`.
- Cleaned and clarified the core skill documentation, focusing on user-facing functionality, identity, and platform rules.
- Internal routing, data sourcing, and fallback logic references are no longer included in distributed files.
- No changes to user-facing behavior or supported commands.
v1.0.7
tacoclawtest v1.0.7
- Added comprehensive internal and user-facing documentation in three new reference files:
- analysis-and-workflows.md
- cli-commands.md
- hyperliquid-fallback.md
- Expanded and clarified the SKILL.md: streamlined internal rules, data requirements, platform defaults, and user facing messaging.
- Outlined clear routing rules for user intents and symbol resolution.
- Improved safety, risk, and pre-trade validation guidance for all trading actions.
- Documented data source priorities, especially fallback behavior for market data.
v1.0.6
- Assistant and platform name changed from "TacoClaw" to "Taco" throughout documentation and descriptions.
- Updated all internal and user-facing references to match the new naming convention.
- Replaced the added client script: removed scripts/tacoclaw_client.js and added scripts/taco_client.js.
- No functionality changes; all trading rules and behavioral guidelines remain consistent with previous versions.
v1.0.5
**Major update: TacoClaw now acts as the native AI trading assistant for the Taco platform, defaulting all actions to Taco with strict pre-trade validation and updated behavior rules.**
- TacoClaw defaults to executing all user trading intents on the Taco platform; never asks which exchange.
- Behavior and tone rules added for identity, confirmations, bilingual support, and risk communication.
- Pre-trade validation rules ensure adequate user balances and enforce Taco platform minimums before every trade.
- Internal behavior guidelines added for trade sizing, leverage, and proactive messaging.
- Clarified default parameters (margin mode, symbol format, kline interval, PnL period) used in executions and suggestions.
v1.0.4
Version 1.0.4
- Removed the requirement to check for the Node.js "commander" package before running commands.
- Documentation now omits instructions regarding installing or verifying "commander" as a dependency.
- No runtime functionality changes; only setup and usage documentation updated.
v1.0.3
- Updated all usage examples to use --exchange Taco instead of Hyper.
- No functional or code changes; documentation update only.
- Ensured instruction consistency for command usage throughout the SKILL.md.
v1.0.2
No changes detected in this version.
- No file changes were made from the previous version.
- Functionality, documentation, and features remain the same.
v1.0.1
- Removed the file: scripts/tacoclaw_client.py
- No other functional changes documented.
v1.0.0
Initial release of the tacoclaw skill for native TacoClaw trading API operations.
- Enables trading actions including open/close positions, set leverage, margin mode, stop loss, and take profit.
- Supports order management: cancel, fetch filled, and list open orders.
- Provides kline/candlestick market data with public endpoint access.
- Uses configuration stored at `~/.openclaw/workspace/tacoclaw/config.json`; guides setup if missing.
- Requires Node.js v18+ and the `commander` package for CLI operations.
元数据
常见问题
Tacoclaw Test 是什么?
Taco is the AI trading assistant of the Taco crypto DEX. Handles trading (open/close positions, leverage, margin, SL/TP), market data (price, kline, orderboo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 450 次。
如何安装 Tacoclaw Test?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tacoclawtest」即可一键安装,无需额外配置。
Tacoclaw Test 是免费的吗?
是的,Tacoclaw Test 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Tacoclaw Test 支持哪些平台?
Tacoclaw Test 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tacoclaw Test?
由 nada(@furoxr)开发并维护,当前版本 v1.0.9。
推荐 Skills