Massive Financial Connector — Massive工具
v1.1.1[AI辅助] Full Massive (Polygon) market-data connector with secure local key handling. Starts the official MCP server and supports endpoint discovery, endpoint docs, g...
0· 302·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly does what its description says (query Massive/Polygon), but the package metadata omits required environment/binaries and the start script relies on a local 'uvx' runner that will fetch and run code from GitHub at runtime — these mismatches and the remote-execution path are concerning and worth manual review before installing.
评估建议
This skill appears to implement a legitimate Massive/Polygon connector, but there are three red flags you should address before installing or running it: (1) The registry metadata does not list MASSIVE_API_KEY or required binaries (curl, python3, uvx) — verify and supply only the minimal credentials needed. (2) start-mcp-server.sh calls a local uvx binary with a git+ URL which will fetch and execute code from GitHub at runtime — inspect what uvx does and manually review the GitHub repo (massive-...详细分析 ▾
⚠ 用途与能力
The skill's stated purpose (Massive/Polygon market-data connector) matches the scripts which call api.massive.com endpoints. However the registry metadata declares no required env vars or binaries while SKILL.md and scripts require MASSIVE_API_KEY and expect curl, python3, and a local uvx binary. The missing declarations are incoherent with the claimed functionality.
⚠ 指令范围
SKILL.md instructs the agent to run the provided scripts and to start the official MCP server. The scripts source the user's ~/.zshrc (silently), read MASSIVE_API_KEY, call api.massive.com via curl, and the server script execs a local uvx binary that will fetch/run code from a GitHub repo. Sourcing ~/.zshrc can execute user dotfile content and may expose or run unexpected state; the uvx-based remote fetch potentially downloads and executes code beyond the local files.
⚠ 安装机制
There is no install spec, but start-mcp-server.sh relies on an external runner ($HOME/.local/bin/uvx) invoked with a git+https://github.com/... URL which will pull code from GitHub at runtime. This is effectively a remote download-and-execute step that is not declared or constrained by an install block; whether it is safe depends entirely on the uvx tool and the remote repo's integrity.
⚠ 凭证需求
Requesting MASSIVE_API_KEY is appropriate for a Massive/Polygon connector, but the skill metadata omitted that requirement. The scripts also implicitly rely on curl and python3. Additionally, the scripts source ~/.zshrc which may expose other environment variables or execute arbitrary shell code — this is not justified by the stated purpose and increases risk of unintended side-effects or secret access.
✓ 持久化与权限
The skill does not request always:true and does not modify global agent configuration in the provided files. There is no install spec that writes persistent system-wide artifacts in the package itself. The main privilege/risk comes from the runtime behavior (uvx fetching remote code), not from declared persistent privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.12026/3/6
Privacy recheck passed; republish
● 可疑
安装命令 点击复制
官方npx clawhub@latest install massive-financial-connector
镜像加速npx clawhub@latest install massive-financial-connector --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制