Last30days Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does the advertised recent-topic research, but it can use your logged-in X/browser session and stores research results locally, so it deserves careful review before use.
Install only if you are comfortable running local Python/Node research scripts that use your OpenAI key and may access your logged-in X browser session. Review the vendored X/cookie code first, consider using a dedicated browser profile, avoid sensitive topics unless local storage is acceptable, and do not enable watchlist cron jobs unless you want ongoing collection.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may cause local code to access your logged-in X session/cookies to perform searches, which is more sensitive than ordinary public web search.
This shows the skill can use an existing authenticated X/browser session and manual session-token environment variables, not just the declared OPENAI_API_KEY.
X search reads your existing browser cookies - no API keys or login commands needed. ... Chrome: Works, but macOS will prompt you to allow Keychain access ... export AUTH_TOKEN=your_auth_token ... export CT0=your_ct0_token
Use only if you are comfortable granting the bundled X client access to your X session; prefer a dedicated/low-privilege browser profile or API credential if possible, and review the vendored cookie-handling code before enabling it.
In runtimes that honor this file, the model might invoke the research skill without an explicit slash command, causing local scripts and network searches to run based on conversation context.
This Codex/OpenAI-specific metadata allows implicit invocation, which may differ from the registry's user-invocable/disable-model-invocation posture.
policy: allow_implicit_invocation: true
Confirm your runtime's invocation policy and disable implicit invocation if you want the skill to run only when explicitly called.
You rely on bundled third-party X/Twitter client code that handles authentication tokens and cookies.
The static scan reports a hardcoded/redacted auth-token literal in vendored X search code. This may be provider-client plumbing, but it increases the need to review provenance and updates.
authToken: [REDACTED],
Review the vendored Bird/X client source and keep it updated from a trusted upstream before using it with an authenticated browser session.
Your research topics and fetched results may remain on disk and could be reused as context in future workflows.
The skill persists research outputs and raw provider responses locally for later reuse or import by other skills.
All outputs are written to `~/.local/share/last30days/out/`: `report.md`, `report.json`, `last30days.context.md`, `raw_openai.json`, `raw_xai.json`
Avoid using sensitive topics unless local persistence is acceptable, and clear `~/.local/share/last30days/out/` or caches when needed.
If you enable the open/watchlist variant and add cron or an always-on bot, the skill can continue collecting research over time.
The open variant supports scheduled/recurring research and persistent accumulation, but the documentation says it does not run automatically without an external scheduler.
Add any topic to a watchlist ... re-researches it on demand or via cron ... accumulates findings in a local SQLite database. ... nothing triggers runs automatically. You need an external scheduler
Enable watchlists or cron only intentionally, document the schedule, and periodically review or prune the local SQLite database.