Taho

Name: Security Analysis: Taho
Item: Taho
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 40K+ users

📦 v0.66.0

💾 26.16MiB

📅 2026-01-18

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

Taho is the community-owned Web3 wallet.

It’s got everything you need for DeFi + NFTs, plus lots of awesome features to love:

- An awesome Ledger integration
- A beautiful NFT gallery
- Swaps with no hidden fees

It's also the safest way to connect to web3:

- Taho is 100% open source
- You have full control over your coin
- Independently audited
- We respect your privacy

Install Taho to get started today!

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

✅ Version v0.66.1 was recently scanned.

v0.66.1 Info Scanned Feb 27, 2026

Security Analysis — Taho

Analyzed v0.66.1 · Feb 27, 2026 · 7 JS files · 41321 KB scanned

Permissions

Code Patterns Detected

External Connections

gov.tally.cash sea1.discourse-cdn.com icons.llamao.fi links.ethers.org www.w3.org raw.githubusercontent.com www.ethercluster.com ipfs.io 1rpc.io redux.js.org ethereum.api.nodesmith.io mezo.org +8 more

Package Contents 327 files · 88MB

▾📁_metadata42KB

{}verified_contents.json42KB

▾📁dev-utils53KB

📜extension-reload.js53KBlarge

▾📁fonts425KB

🔤QuincyCF-Medium.woff61KB

🔤QuincyCF-Medium.woff243KB

🔤QuincyCF-Text.woff60KB

🔤QuincyCF-Text.woff243KB

🔤segment-medium.woff43KB

🔤segment-medium.woff230KB

🔤segment-regular.woff41KB

🔤segment-regular.woff229KB

🔤segment-semibold.woff43KB

🔤segment-semibold.woff231KB

▾📁images5.2MB

▾📁abilities3KB

🖼airdrop.svg2KB

🖼mint.svg1KB

▾📁add_wallet10KB

🖼create_tally.svg7KB

🖼import.svg710B

🖼ledger.svg1KB

🖼preview.svg1KB

▾📁assets171KB

🖼avax.png10KB

🖼bnb.png102KB

🖼btc.png2KB

🖼doggo.png5KB

🖼eth.png8KB

🖼matic.png14KB

🖼rbtc.png30KB

▾📁avatars642KB

🖼atos@2x.png108KB

🖼foz@2x.png70KB

🖼lola@2x.png67KB

🖼matilda@2x.png69KB

🖼phoenix@2x.png86KB

🖼sirius@2x.png67KB

🖼sport@2x.png73KB

🖼topa@2x.png103KB

▾📁daos57KB

🖼aave_logo@2x.png7KB

🖼bankless_logo@2x.png4KB

🖼dxdao_logo@2x.png2KB

🖼ens_logo@2x.png4KB

🖼fwb_logo@2x.png5KB

🖼gitcoin_logo@2x.png3KB

🖼gnosis_logo@2x.png2KB

🖼keeper_logo@2x.png310B

🖼pleasr_logo@2x.png8KB

🖼radicle_logo@2x.png3KB

🖼sushi_logo@2x.png4KB

🖼synthetix_logo@2x.png2KB

🖼uniswap_logo@2x.png7KB

🖼yearn_logo@2x.png5KB

▾📁icons63KB

▾📁m48KB

🖼connected.svg970B

🖼continue.svg332B

🖼copy.svg549B

🖼dark.svg657B

🖼dashboard.svg1000B

🖼developer.svg584B

🖼disconnect.svg1KB

🖼discord.svg2KB

🖼earn.svg2KB

🖼export.svg529B

🖼eye-off.svg2KB

🖼eye-on.svg1KB

🖼feedback.svg714B

🖼gift.svg1KB

🖼github.svg24KB

🖼import.svg536B

🖼info.svg544B

🖼light.svg1KB

🖼list.svg354B

🖼lock-bold.svg425B

🖼lock.svg499B

🖼menu.svg225B

🖼new-tab.svg445B

🖼notif-announcement.svg841B

🖼notif-attention.svg584B

🖼notif-correct.svg697B

🖼notif-wrong.svg566B

🖼search.svg460B

🖼swap.svg484B

🖼switch.svg785B

🖼unlock-bold.svg588B

🖼unlock.svg715B

🖼wallet.svg660B

▾📁s15KB

🖼add.svg212B

🖼arrow-right.svg352B

🖼arrow-toggle.svg361B

🖼back.svg325B

🖼close.svg353B

🖼continue.svg325B

🖼copy.svg366B

🖼discord.svg2KB

🖼download.svg450B

🖼dropdown.svg323B

🖼edit.svg455B

🖼garbage.svg382B

🖼key.svg869B

🖼lock-bold.svg425B

🖼lock.svg499B

🖼mark-read.svg438B

🖼new-tab.svg364B

🖼notif-announ.svg610B

🖼notif-attention.svg495B

🖼notif-correct.svg610B

🖼notif-wrong.svg526B

🖼notification.svg394B

🖼receive.svg284B

🖼refresh.svg1KB

🖼send.svg270B

🖼settings.svg1KB

🖼settings2.svg270B

🖼swap.svg338B

🖼unlock-bold.svg587B

🖼unlock.svg715B

▾📁island228KB

🖼portal-image-title@2x.png124KB

🖼portal-image@2x.png104KB

▾📁marketplaces32KB

🖼galxe.svg1KB

🖼looksrare.svg1KB

🖼opensea.svg4KB

🖼poap.svg23KB

🖼poap_color.png993B

🖼poap_white.png901B

🖼rarible.svg932B

▾📁networks87KB

🖼arbitrum-square@2x.png3KB

🖼arbitrum@2x.png3KB

🖼arbitrum_icon_small@2x.png1KB

🖼arbitrumnova-square@2x.png2KB

🖼arbitrumnova@2x.png2KB

🖼arbitrumsepolia-square@2x.png3KB

🖼arbitrumsepolia@2x.png3KB

🖼avalanche-square@2x.png8KB

🖼avalanche@2x.png8KB

🖼bnbchain-square@2x.png551B

🖼bnbchain@2x.png551B

🖼celo-square@2x.png2KB

🖼celo@2x.png2KB

🖼ethereum-square@2x.png2KB

🖼ethereum@2x.png2KB

🖼ethereumsepolia-square@2x.png2KB

🖼ethereumsepolia@2x.png2KB

🖼mezomatsnet-square@2x.png642B

🖼mezomatsnet@2x.png642B

🖼optimism-square@2x.png10KB

🖼optimism@2x.png2KB

🖼polygon-square@2x.png7KB

🖼polygon@2x.png2KB

🖼rootstock-square@2x.png8KB

🖼rootstock@2x.png8KB

🖼activity_approve@2x.png908B

🖼activity_contract_interaction@2x.png339B

🖼activity_receive@2x.png328B

🖼activity_receive_medium@2x.png381B

🖼activity_send.svg275B

🖼activity_send@2x.png283B

🖼activity_send_medium@2x.png312B

🖼activity_swap@2x.png362B

🖼activity_swap_medium@2x.png415B

🖼arbitrum@2x.png1KB

🖼arrow@2x.png251B

🖼arrow_right@2x.png223B

🖼avatar@2x.png12KB

🖼back@2x.png520B

🖼banner-bg.svg942B

🖼banner_thumbnail.png17KB

🖼block_icon@2x.png1KB

🖼bolt@2x.png472B

🖼chain_list.svg11KB

🖼change@2x.png390B

🖼check.svg263B

🖼check@2x.png310B

🖼checkmark@2x.png519B

🖼chevron@2x.png468B

🖼chevron_down.svg364B

🖼chevron_left.svg394B

🖼chevron_right.svg361B

🖼claim.svg28KB

🖼claim@2x.png17KB

🖼claim_success.png67KB

🖼close.svg344B

🖼close@2x.png235B

🖼cog@2x.png371B

🖼confetti.svg20KB

🖼congrats_header@2x.png34KB

🖼connect_ledger_indicator_unknown.svg5KB

🖼connect_ledger_popup_underlay_downward_arrow.svg557B

🖼connect_ledger_popup_underlay_upward_arrow.svg549B

🖼connected-wc.svg3KB

🖼continue.svg367B

🖼copy@2x.png242B

🖼dapp_favicon_default@2x.png3KB

🖼dark_forest@2x.png28KB

🖼dark_forest_bg@2x.png18KB

🖼disconnect@2x.png457B

🖼discord@2x.png548B

🖼doggo_gold.svg7KB

🖼doggo_gold@2x.png3KB

🖼doggo_grey@2x.png6KB

🖼doggo_import.svg8KB

🖼doggo_intro.svg7KB

🖼doggo_light@2x.png2KB

🖼doggo_onboarding.svg7KB

🖼doggo_private_key.svg8KB

🖼doggo_readonly.svg9KB

🖼doggo_secure.svg8KB

🖼earn.svg3KB

🖼earn_tab@2x.png434B

🖼edit@2x.png367B

🖼empty_bowl@2x.png18KB

🖼eth@2x.png1KB

🖼ethereum-background@2x.png3KB

🖼external@2x.png377B

🖼external_small@2x.png325B

🖼eye@2x.png1KB

🖼eye_account@2x.png1KB

🖼garbage@2x.png174B

🖼gas@2x.png2KB

🖼gift@2x.png398B

🖼github@2x.png1KB

🖼graph@2x.png40KB

🖼icon-34.png2KB

🖼icon-60.png4KB

🖼illustration_bones@2x.png43KB

🖼illustration_import_seed@2x.png65KB

🖼illustration_unlock@2x.png76KB

🖼imported@2x.png583B

🖼info@2x.png851B

🖼json_file.svg2KB

🖼key-light.svg820B

🖼ledger_icon.svg766B

🖼loading_doggo.gif132KB

🖼lock@2.png577B

🖼lock@2x.png618B

🖼logo.svg3KB

🖼logo_horizontal.svg10KB

🖼logo_onboarding.svg17KB

🖼mac-shortcut-option-t.svg3KB

🖼mac-shortcut-option.svg3KB

🖼mac-shortcut-t.svg3KB

🖼mac-shortcut.svg2KB

🖼mark_read@2x.png295B

🖼mascot.svg26KB

🖼mascot@2x.png4KB

🖼message_correct.png6KB

🖼message_error.png6KB

🖼message_warning.png4KB

🖼mezo-1.png56KB

🖼mezo-2.png68KB

🖼mezo-3.png64KB

🖼more_dots@2x.png166B

🖼new_tab@2x.png364B

🖼new_tab_hover@2x.png361B

🖼nfts.svg1KB

🖼no_preview.svg5KB

🖼notification_announce.svg976B

🖼notification_announce@2x.png575B

🖼notification_error@2x.png235B

🖼notification_receive@2x.png310B

🖼onboarding_pin_extension.gif304KB

🖼onboarding_success.svg47KB

🖼optimism@2x.png560B

🖼other-wallet-connect-icon.svg969B

🖼overview_tab@2x.png198B

🖼paste@2x.png242B

🖼placeholder.svg530B

🖼plus@2x.png124B

🖼poap_logo.svg11KB

🖼polygon@2x.png699B

🖼portfolio.svg1000B

🖼portrait.png2KB

🖼qr_code@2x.png11KB

🖼receive@2x.png211B

🖼reload@2x.png864B

🖼reward_locked@2x.png5KB

🖼search_large@2x.png548B

🖼send@2x.png207B

🖼send_asset.svg355B

🖼settings.svg3KB

🖼stars.svg3KB

🖼stars_grey.svg3KB

🖼subscape-logo.svg1KB

🖼swap.svg484B

🖼swap@2x.png270B

🖼swap_asset.svg561B

🖼swap_tab@2x.png325B

🖼switch@2x.png354B

🖼tab_background.svg1.2MB

🖼taho-connect-icon.svg6KB

🖼tahonamechange.gif1.2MB

🖼tail.svg4KB

🖼tally_reward@2x.png1KB

🖼tally_token.svg10KB

🖼tally_wc.png7KB

🖼time.svg676B

🖼toggle.svg1KB

🖼transfer@2x.png258B

🖼trezor_icon@2x.png2KB

🖼twitter.svg499B

🖼twitter@2x.png222B

🖼uniswap@2x.png1KB

🖼uniswap_large@2x.png2KB

🖼wallet.svg660B

🖼wallet_connect_guideline.png17KB

🖼wallet_kind_icon@2x.png1KB

🖼wallet_tab@2x.png403B

🖼warning@2x.png1KB

🖼windows-shortcut-alt-t.svg6KB

🖼windows-shortcut-alt.svg6KB

🖼windows-shortcut-t.svg6KB

🖼windows-shortcut.svg6KB

🖼wordmark.svg4KB

📜background-ui.js2KB

📄background-ui.js.map2KB

📜background.js10.3MBlarge

📄background.js.LICENSE.txt3KB

📄background.js.map11.7MB

🎨fonts.css1KB

🖼icon-128.png13KB

🎨index.css3KB

{}manifest.json2KB

🌐popup.html350B

📜popup.js15MBlarge

📄popup.js.LICENSE.txt5KB

📄popup.js.map15.1MB

📜provider-bridge.js38KB

📄provider-bridge.js.map68KB

🌐tab.html409B

📜tab.js14.9MBlarge

📄tab.js.LICENSE.txt5KB

📄tab.js.map15MB

📜window-provider.js41KB

📄window-provider.js.map82KB

What This Extension Does

Taho is a community-owned Web3 wallet that provides DeFi and NFT features, Ledger integration, and secure connection to web3. It's designed for users who want to manage their cryptocurrencies and digital assets securely. With over 40,000 users, it's a popular choice in the Lifestyle/social category.

Permissions Explained

alarmsexpected: This permission allows Taho to display notifications on your browser.
Technical: Taho uses this permission to send push notifications to users when they have new transactions or updates. This is a standard Chrome API for sending notifications, and it does not grant access to sensitive data.
storageexpected: This permission allows Taho to store data locally on your device.
Technical: Taho uses this permission to store user data, such as wallet information and transaction history. This is a standard Chrome API for storing data locally, but it does grant access to sensitive data if compromised. ⚠ 1
unlimitedStoragecheck this: This permission allows Taho to store an unlimited amount of data on your device.
Technical: Taho uses this permission to store large amounts of user data, such as wallet information and transaction history. This is a high-risk permission that grants access to sensitive data if compromised. ⚠ 1
activeTabexpected: This permission allows Taho to access the currently active tab in your browser.
Technical: Taho uses this permission to monitor user activity and detect when they are interacting with web3 applications. This is a standard Chrome API for accessing tab data, but it does grant access to sensitive information if compromised. ⚠ 1
notificationsexpected: This permission allows Taho to display notifications on your browser.
Technical: Taho uses this permission to send push notifications to users when they have new transactions or updates. This is a standard Chrome API for sending notifications, and it does not grant access to sensitive data.

Your Data

Taho accesses user data on your device, including wallet information and transaction history. It sends this data to various domains, including gov.tally.cash, sea1.discourse-cdn.com, and raw.githubusercontent.com.

Technical Details

Taho contacts the following domains: gov.tally.cash, sea1.discourse-cdn.com, icons.llamao.fi, links.ethers.org, www.w3.org, raw.githubusercontent.com, www.ethercluster.com, ipfs.io, 1rpc.io, redux.js.org, ethereum.api.nodesmith.io, mezo.org. It uses WebSocket connections and postMessage for cross-origin communication.

Code Findings

Unnecessary Permission: unlimitedStorageMedium

Taho has an unnecessary permission to store an unlimited amount of data on your device. This could potentially lead to sensitive information being compromised if the extension is hacked.

Technical: The extension uses the unlimitedStorage permission, which grants access to sensitive data if compromised. This is not necessary for the stated purpose of the extension and should be removed.

💡 Extensions often need to store user data locally, but this permission is excessive and unnecessary.

Potential Data Exposure: activeTabMedium

Taho has access to the currently active tab in your browser. This could potentially lead to sensitive information being compromised if the extension is hacked.

Technical: The extension uses the activeTab permission, which grants access to sensitive information if compromised. This is necessary for the stated purpose of the extension, but it's still a high-risk permission that should be carefully monitored.

💡 Extensions often need to monitor user activity and detect when they are interacting with web3 applications.

Potential Data Exposure: storageMedium

Taho has access to your device's storage. This could potentially lead to sensitive information being compromised if the extension is hacked.

Technical: The extension uses the storage permission, which grants access to sensitive data if compromised. This is necessary for the stated purpose of the extension, but it's still a high-risk permission that should be carefully monitored.

💡 Extensions often need to store user data locally.

Bottom Line

Taho has some concerning permissions and potential data exposure risks. While it's designed for secure web3 interactions, its excessive storage permission and access to sensitive information raise concerns. Users should carefully review the extension's permissions and consider alternative options.