Massive(Polygon)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: massive-skill Version: 1.0.5 The skill is classified as suspicious due to its reliance on `npx --yes massive <command>` for execution, as documented in `SKILL.md` and all `references/*.md` files. While this is a common method for running Node.js CLI tools, it introduces a supply chain risk by downloading and executing code from the npm registry without explicit auditing of the `massive` package itself. This constitutes a risky capability (shell execution of external code) without clear malicious intent from the skill's documentation, aligning with the definition of 'suspicious' rather than 'benign' or 'malicious'.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill depends on the integrity of the external npm package resolved by npx at run time.
The skill runs the external Massive CLI through npx with automatic confirmation. This is central to the skill's purpose, but the artifacts do not pin or include the npm package code being executed.
npx --yes massive <command> [options]
Use only if you trust the Massive CLI package source; prefer a pinned version or reviewed package provenance when possible.
Commands may use your Massive/Polygon account access and API quota.
The skill requires a Massive/Polygon API key. This is expected for the stated market data integration, but it gives the invoked CLI access to an account credential.
env: ["MASSIVE_API_KEY"] ... primaryEnv: "MASSIVE_API_KEY"
Use a scoped or dedicated API key if available, avoid sharing the key in prompts or logs, and monitor API usage.