Last 30 Days (Lite)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: last30days-lite Version: 1.0.0 The `SKILL.md` file instructs the AI agent to execute a shell command, specifically `bird search "[topic]" -n 10 --plain`. The `[topic]` variable is user-controlled input. Direct execution of shell commands with unsanitized user input is a high-risk capability that can lead to shell injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system. While the stated purpose of searching X/Twitter is benign, the method of execution introduces a significant security risk without clear evidence of intentional malicious behavior from the skill author.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may use the user's existing X/Twitter account session for searches, exposing queries to that service and relying on local account credentials beyond a simple anonymous web search.
The skill says it needs no API keys but uses a logged-in X/Twitter cookie session through bird. Cookies are credentials, and the artifacts do not define which profile/session is used, what access is granted, or how the user approves or limits it.
No extra API keys needed ... Bird requires X/Twitter cookies (already configured)
Before use, require explicit consent for X/Twitter access, document the exact bird credential/profile used, keep it read-only/search-only, and provide revocation or disable instructions such as a web-only mode.
The safety of the X/Twitter portion depends on whatever bird binary is present on the user's machine.
The skill depends on an external bird CLI, but the artifacts do not include install or provenance details. This is purpose-aligned for X/Twitter search, but users must trust a separately installed tool.
Required binaries (all must exist): bird; Install specifications: No install spec — this is an instruction-only skill.
Install bird only from a trusted source, verify its configuration, and prefer pinned or documented installation instructions from the skill publisher.
Research topics may be sent to Brave Search, Reddit/web pages, and X/Twitter via bird.
The skill instructs the agent to fetch web pages and invoke a local CLI using the user's topic. This matches the research purpose and is not destructive, but it sends queries/content to external services and should remain user-directed.
web_fetch(url="https://reddit.com/...", maxChars=10000) ... bird search "[topic]" -n 10 --plain
Use it for topics you are comfortable searching publicly, and confirm before fetching sensitive or private URLs or running CLI searches tied to an authenticated account.