Massive(Polygon)
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent market-data CLI skill, but users should trust the external npx package and protect their Massive/Polygon API key.
This skill appears benign and purpose-aligned for querying Massive/Polygon market data. Before installing, confirm you trust the npm package invoked by `npx --yes massive`, and provide only the API key needed for market-data access.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill depends on the integrity of the external npm package resolved by npx at run time.
The skill runs the external Massive CLI through npx with automatic confirmation. This is central to the skill's purpose, but the artifacts do not pin or include the npm package code being executed.
npx --yes massive <command> [options]
Use only if you trust the Massive CLI package source; prefer a pinned version or reviewed package provenance when possible.
Commands may use your Massive/Polygon account access and API quota.
The skill requires a Massive/Polygon API key. This is expected for the stated market data integration, but it gives the invoked CLI access to an account credential.
env: ["MASSIVE_API_KEY"] ... primaryEnv: "MASSIVE_API_KEY"
Use a scoped or dedicated API key if available, avoid sharing the key in prompts or logs, and monitor API usage.