X Trends
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims: fetch public X trending-topic data from getdaytrends.com and print it, with only minor third-party network and package provenance notes.
This skill looks safe for its stated purpose. Before installing, be comfortable with it contacting getdaytrends.com and with the normal npm dependency chain used by the CLI.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the command sends the selected country path to getdaytrends.com and returns public web content as trend results.
This shows the CLI performs an outbound request to getdaytrends.com based on the requested country. That is disclosed and purpose-aligned, but users should know the tool contacts a third-party site.
const url = `https://getdaytrends.com/${countrySlug ? countrySlug + '/' : ''}`;
...
const html = await fetchTrends(url);Use it for public trend lookups only, and treat returned trend names/links as untrusted public web data.
The main security dependency is trust in the packaged code and its npm dependencies, not any credential or local-data access by the skill itself.
The skill depends on third-party npm packages. This is normal for a Node CLI and a lockfile is included, but installation still relies on the npm dependency chain.
"dependencies": {
"chalk": "^5.3.0",
"cheerio": "^1.0.0",
"commander": "^12.0.0",
"ora": "^8.0.0"
}Install from the reviewed package version and keep the lockfile/dependencies under normal supply-chain review if using it in a sensitive environment.