Is deanpress/polymarket-odds safe?

https://github.com/deanpress/polymarket-odds

94
SAFE

This skill is effectively empty and non-functional. The git clone of deanpress/polymarket-odds failed (repo likely private or non-existent), leaving only a .clawhub/lock.json with a mismatched skill name. No SKILL.md content, no source code, no executable files, and no suspicious behavior were detected during installation. All monitored activity (network, filesystem, process execution) was attributable to system infrastructure and the Oathe monitoring framework.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

INFO Git clone failed — repo inaccessible -5

The git clone operation failed with 'could not read Username for https://github.com: No such device or address'. The repository may be private, deleted, or renamed. This prevented full source code analysis.

LOW Skill name mismatch in lock.json -5

The .clawhub/lock.json references skill 'academic-research-hub' but the repo slug is 'deanpress/polymarket-odds'. This mismatch suggests stale metadata, a repo rename, or a lock file carried over from a different context. Not a security threat but indicates inconsistent packaging.

INFO Empty SKILL.md — no prompt content -5

SKILL.md is completely empty. There are no instructions, persona overrides, permission escalations, or hidden directives. While this means zero prompt injection risk, it also means the skill provides no functionality.

INFO No executable code in repository -5

The only file present is .clawhub/lock.json, which is declarative JSON metadata. No JavaScript, TypeScript, Python, shell scripts, or other executable content was found. No package.json means no npm lifecycle hooks.