ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Massive(Polygon)

v1.0.5

Access Massive(Polygon) stock, crypto, forex, options, indices, futures, market data, and news APIs via CLI.

2· 707·0 current·0 all-time
byBruce Shi@bruce-shi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (npx), and required env var (MASSIVE_API_KEY) align with a CLI wrapper for Massive/Polygon market data. Minor note: registry metadata lists source/homepage as unknown while SKILL.md references massive.com — verify the upstream package and publisher.
Instruction Scope
Runtime instructions are limited to invoking 'npx --yes massive <command>' and reference only API-related commands. The SKILL.md does not instruct reading unrelated files or accessing other credentials.
Install Mechanism
This is an instruction-only skill that relies on npx at runtime. npx will fetch and execute code from the npm registry on demand — expected for a CLI but a moderate operational risk if the npm package or its maintainer is untrusted.
Credentials
Only a single credential (MASSIVE_API_KEY) is required and declared as primary. No unrelated secrets, files, or config paths are requested.
Persistence & Privilege
Skill does not request persistent/always-on privileges and uses default autonomous invocation settings. It does not modify other skills or system configs.
Assessment
This skill appears coherent for calling Massive/Polygon APIs via the 'massive' CLI, but it invokes code via 'npx' which downloads/executes the 'massive' package from npm at run time. Before using: 1) Confirm the npm package name ('massive') and publisher are legitimate (check npmjs.com and the package's repository), since the registry metadata lists no source/homepage. 2) Review the package source (or pin a specific version) rather than blindly running npx --yes. 3) Limit the MASSIVE_API_KEY scope and avoid placing it in broadly shared environments; rotate it if you suspect misuse. 4) If possible, prefer installing a vetted release or vendor-provided client rather than repeated npx fetches to reduce the risk of supply-chain changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk977jcjpgjg5kvdcn35537wye181bn6d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpx
EnvMASSIVE_API_KEY
Primary envMASSIVE_API_KEY

Comments