Back to skill
Skillv1.0.1
VirusTotal security
Massive.com CLI · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:06 AM
- Hash
- 97d37b101bb55b1dcf8059444d7d88bd8d79f8397863c5059f77245f7733a12f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: massive Version: 1.0.1 The skill includes a high-risk capability allowing arbitrary command execution via `eval "${command}"` when resolving secrets from an `exec` source specified in the `MASSIVE_API_KEY_REF` environment variable (found in `scripts/massive` and documented in `references/openclaw-secrets.md`). This presents a significant Remote Code Execution (RCE) vulnerability if `MASSIVE_API_KEY_REF` can be controlled by untrusted input. While the documentation states this is an intentional feature for OpenClaw alignment and relies on the runtime for sandboxing, the direct use of `eval` without internal sanitization makes it suspicious due to the inherent risk, despite lacking clear evidence of malicious intent within the skill itself.
- External report
- View on VirusTotal