Massive(Polygon)
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill depends on the integrity of the external npm package resolved by npx at run time.
The skill runs the external Massive CLI through npx with automatic confirmation. This is central to the skill's purpose, but the artifacts do not pin or include the npm package code being executed.
npx --yes massive <command> [options]
Use only if you trust the Massive CLI package source; prefer a pinned version or reviewed package provenance when possible.
Commands may use your Massive/Polygon account access and API quota.
The skill requires a Massive/Polygon API key. This is expected for the stated market data integration, but it gives the invoked CLI access to an account credential.
env: ["MASSIVE_API_KEY"] ... primaryEnv: "MASSIVE_API_KEY"
Use a scoped or dedicated API key if available, avoid sharing the key in prompts or logs, and monitor API usage.