Back to skill
Skillv1.1.1
VirusTotal security
Massive Financial Connector · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:11 AM
- Hash
- 984e4dfafdbbe61456dafc027fd5256ec1ed98c7c9d58b91ce83e3a2f130881d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: massive-financial-connector Version: 1.1.1 The skill bundle exhibits high-risk behaviors including sourcing the user's '~/.zshrc' file in all shell scripts (e.g., 'get-agg-day.sh', 'start-mcp-server.sh'), which executes arbitrary code from the user's shell configuration and exposes the full environment. It also transmits the 'MASSIVE_API_KEY' as a plaintext URL query parameter to 'api.massive.com', a practice that leaks credentials in logs. Additionally, 'start-mcp-server.sh' uses 'uvx' to fetch and execute code directly from a remote GitHub repository ('github.com/massive-com/mcp_massive'), introducing a significant supply chain risk without sufficient pinning or verification.
- External report
- View on VirusTotal