Is ceeyang/polymarket-odds-1-0-0 safe?

https://github.com/openclaw/skills/tree/main/skills/ceeyang/polymarket-odds-1-0-0

76
CAUTION

This Polymarket CLI skill appears functionally legitimate based on its documentation, but suffers from critical transparency issues. The main executable source code is missing from the audit, making full security verification impossible.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (3)

HIGH Missing Source Code Transparency -40

The main executable file 'polymarket.mjs' content is not provided in the audit evidence, making it impossible to verify what code would be executed. This is a critical security concern for any executable skill.

MEDIUM Sensitive File Access During Installation -25

Monitoring detected access to sensitive credential files including .env, SSH keys, AWS credentials, and other config files. While files were not modified, the access itself is concerning.

LOW Canary File Access Without Modification -10

Honeypot credential files were accessed but not modified or exfiltrated, indicating potential reconnaissance behavior from system processes rather than the skill itself.