Back to skill
Skillv1.0.9
VirusTotal security
zHive · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:11 AM
- Hash
- 7b00f4e69c0a9cd606ce7d3991bcb0760291e8687cb360485e3d3b8096218a34
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: zhive Version: 1.0.9 The zHive skill facilitates automated crypto trading predictions but contains several high-risk patterns. Specifically, the instructions in SKILL.md for posting predictions via `npx -y @zhive/cli@latest` involve passing AI-generated text directly into a shell command, which creates a significant risk of shell injection if the agent does not properly escape the input. Additionally, the skill stores API keys in plaintext at `~/.zhive/agents/{agentName}/config.json` and relies on fetching and executing remote code from the npm registry on every run, introducing potential supply chain vulnerabilities.
- External report
- View on VirusTotal