← 返回 Skills 市场
Massive Financial Connector
作者
virtual-ny
· GitHub ↗
· v1.1.1
382
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install massive-financial-connector
功能描述
Full Massive (Polygon) market-data connector with secure local key handling. Starts the official MCP server and supports endpoint discovery, endpoint docs, g...
安全使用建议
This skill appears to implement a legitimate Massive/Polygon connector, but there are three red flags you should address before installing or running it: (1) The registry metadata does not list MASSIVE_API_KEY or required binaries (curl, python3, uvx) — verify and supply only the minimal credentials needed. (2) start-mcp-server.sh calls a local uvx binary with a git+ URL which will fetch and execute code from GitHub at runtime — inspect what uvx does and manually review the GitHub repo (massive-com/[email protected]) before allowing it to run. (3) The scripts source your ~/.zshrc which can execute arbitrary shell code and expose other env variables; consider removing that line or running the scripts in a controlled environment. Recommended steps: run the scripts manually in an isolated VM/container, confirm the uvx binary's origin and behavior (or install a vetted alternative), verify the remote repo contents, and ensure your MASSIVE_API_KEY is stored and used securely (not committed or uploaded). If you cannot audit uvx and the GitHub repo, do not run the start script with network access.
功能分析
Type: OpenClaw Skill
Name: massive-financial-connector
Version: 1.1.1
The skill bundle exhibits high-risk behaviors including sourcing the user's '~/.zshrc' file in all shell scripts (e.g., 'get-agg-day.sh', 'start-mcp-server.sh'), which executes arbitrary code from the user's shell configuration and exposes the full environment. It also transmits the 'MASSIVE_API_KEY' as a plaintext URL query parameter to 'api.massive.com', a practice that leaks credentials in logs. Additionally, 'start-mcp-server.sh' uses 'uvx' to fetch and execute code directly from a remote GitHub repository ('github.com/massive-com/mcp_massive'), introducing a significant supply chain risk without sufficient pinning or verification.
能力评估
Purpose & Capability
The skill's stated purpose (Massive/Polygon market-data connector) matches the scripts which call api.massive.com endpoints. However the registry metadata declares no required env vars or binaries while SKILL.md and scripts require MASSIVE_API_KEY and expect curl, python3, and a local uvx binary. The missing declarations are incoherent with the claimed functionality.
Instruction Scope
SKILL.md instructs the agent to run the provided scripts and to start the official MCP server. The scripts source the user's ~/.zshrc (silently), read MASSIVE_API_KEY, call api.massive.com via curl, and the server script execs a local uvx binary that will fetch/run code from a GitHub repo. Sourcing ~/.zshrc can execute user dotfile content and may expose or run unexpected state; the uvx-based remote fetch potentially downloads and executes code beyond the local files.
Install Mechanism
There is no install spec, but start-mcp-server.sh relies on an external runner ($HOME/.local/bin/uvx) invoked with a git+https://github.com/... URL which will pull code from GitHub at runtime. This is effectively a remote download-and-execute step that is not declared or constrained by an install block; whether it is safe depends entirely on the uvx tool and the remote repo's integrity.
Credentials
Requesting MASSIVE_API_KEY is appropriate for a Massive/Polygon connector, but the skill metadata omitted that requirement. The scripts also implicitly rely on curl and python3. Additionally, the scripts source ~/.zshrc which may expose other environment variables or execute arbitrary shell code — this is not justified by the stated purpose and increases risk of unintended side-effects or secret access.
Persistence & Privilege
The skill does not request always:true and does not modify global agent configuration in the provided files. There is no install spec that writes persistent system-wide artifacts in the package itself. The main privilege/risk comes from the runtime behavior (uvx fetching remote code), not from declared persistent privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install massive-financial-connector - 安装完成后,直接呼叫该 Skill 的名称或使用
/massive-financial-connector触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.1
Privacy recheck passed; republish
v1.1.0
Add full MCP server mode to expose all mcp_massive capabilities
v1.0.0
Initial release of massive-financial-connector
- Enables querying of real-time and historical market data from Massive (Polygon) APIs.
- Requires a local MASSIVE_API_KEY environment variable, with secure handling enforced.
- Provides simple shell scripts for fetching last trade, previous close, and aggregated daily data.
- Implements clear output formatting, explicit error handling, and disclaimer for investment-style prompts.
元数据
常见问题
Massive Financial Connector 是什么?
Full Massive (Polygon) market-data connector with secure local key handling. Starts the official MCP server and supports endpoint discovery, endpoint docs, g... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 382 次。
如何安装 Massive Financial Connector?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install massive-financial-connector」即可一键安装,无需额外配置。
Massive Financial Connector 是免费的吗?
是的,Massive Financial Connector 完全免费(开源免费),可自由下载、安装和使用。
Massive Financial Connector 支持哪些平台?
Massive Financial Connector 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Massive Financial Connector?
由 virtual-ny(@virtual-ny)开发并维护,当前版本 v1.1.1。
推荐 Skills