Oathe Security Badge

Is skill/massive safe?

https://clawhub.ai/skill/massive

87
SAFE

This appears to be a legitimate financial market data API client skill for the Massive service. The skill demonstrates good security practices with documented constraints and proper credential handling. However, the missing core executable script prevents complete assessment of the primary functionality.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

HIGH Missing Core Executable Script -35

The main executable file 'scripts/massive' referenced in BUNDLE_MANIFEST.md is not included in the source code evidence. This prevents complete security assessment of the skill's primary functionality.

MEDIUM Exec Command Support in Secret References -8

The skill supports 'exec' type secret references that can execute arbitrary commands. While documented as intentional for OpenClaw compatibility, this creates potential for command injection if misused.

LOW API Credential Handling -12

The skill handles API credentials for the Massive service, creating inherent risk if credentials are misused. However, this is expected functionality for a market data API client.