ClawHub
Back to skill
v1.0.1

Massive.com CLI

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:18 AM.

Analysis

The skill’s stated Massive API purpose is coherent, but the reviewed bundle is missing the core executable it tells agents to run, while also documenting credential and command-based secret handling.

GuidanceReview this skill before installing. Its API-querying purpose is reasonable, but the package is incomplete because the main `scripts/massive` executable is absent. Ask for a complete bundle and verify the script before providing a Massive API key or enabling exec-based SecretRef resolution.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
BUNDLE_MANIFEST.md
- `scripts/massive` ... If a distributed artifact omits `scripts/massive`, treat it as a packaging error and regenerate the bundle from the repository root.

The artifacts themselves identify `scripts/massive` as required, but the supplied file manifest and full file contents do not include it, leaving the core executable unreviewed and the bundle internally inconsistent.

User impactAn agent following the skill may try to run a missing or unintended local `scripts/massive` command, and the actual CLI behavior cannot be verified from this bundle.
RecommendationDo not install this bundle as-is; require a package that includes `scripts/massive` and its expected dependencies, then review that script before using API credentials.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
references/openclaw-secrets.md
- `exec`: execute a command and use stdout as the secret, matching OpenClaw's SecretRef model

The skill intentionally supports command-based secret resolution. This is documented and purpose-aligned for secret management, but it is still sensitive because it permits a configured command to run before API requests.

User impactIf `MASSIVE_API_KEY_REF` is configured with an `exec` source, the CLI may run that command to obtain the API key.
RecommendationOnly use trusted SecretRef configurations, prefer environment or managed secret references where possible, and avoid arbitrary `exec` commands unless they are approved by the user or runtime policy.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
agents/openai.yaml
credentials:
  primary:
    any_of:
      - MASSIVE_API_KEY_REF
      - MASSIVE_API_KEY

The skill expects access to a Massive API key or secret reference. This is appropriate for the stated API wrapper purpose, but users should recognize that an installed agent may use that credential for Massive API calls.

User impactThe agent may make authenticated Massive API requests, which could consume quota or expose account-linked access depending on the user’s Massive plan.
RecommendationUse a least-privilege Massive API key, prefer `MASSIVE_API_KEY_REF` over plaintext environment variables, and monitor API usage.