Is reddit-cli safe?

The .clawhub/lock.json file declares a dependency on 'academic-research-hub' v0.1.0, but the skill is published and installed as 'reddit-cli'. This mismatch indicates the skill was either repackaged from a different skill, is squatting the 'reddit-cli' name, or is manipulating metadata to confuse auditing tools. Users installing this skill would have no indication that 'academic-research-hub' is involved.

SKILL.md is completely empty. A legitimate skill should declare what it does, what tools it needs, and what permissions it requires. An empty SKILL.md means the skill injects nothing into the agent's prompt, providing zero functionality. This is either a broken/incomplete skill or a deliberate shell that could be updated later with malicious prompt content. The empty state also means there are no permission boundaries defined, so if the platform grants default permissions based on skill presence, those permissions are granted without justification.

This skill occupies the attractive 'reddit-cli' name on the marketplace with zero functionality. This pattern is consistent with name-squatting (blocking legitimate developers from using the name) or staging a shell that will be updated with malicious content after accumulating installs. The mismatched internal skill name ('academic-research-hub') further supports the theory that this is not a genuine Reddit CLI tool in development.

While no exfiltration was detected, the complete absence of code means this assessment could change entirely with a single update. The current state provides no assurance about future behavior.