Last30days Skill

Security checks across malware telemetry and agentic risk

Overview

This research skill should be reviewed before installation because it can read local browser login cookies and use local GitHub credentials beyond what its main security text clearly explains.

Install only if you are comfortable with a research tool reading local browser session cookies and using local developer credentials. Prefer setting FROM_BROWSER=off and supplying explicit limited API keys. Avoid the GitHub/ScrapeCreators setup path unless you understand that a local gh token may be sent to that service, and expect raw reports plus config state to be stored locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (59)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return env_token # Fallback: try gh CLI try: result = subprocess.run( ["gh", "auth", "token"], capture_output=True, text=True, timeout=5, )
Confidence: 95% confidence
Finding: result = subprocess.run( ["gh", "auth", "token"], capture_output=True, text=True, timeout=5, )

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill includes first-run setup-state management and persistent writes to ~/.config/last30days/.env, which go beyond transient research execution. Hidden or under-disclosed persistent config changes can surprise users, alter later behavior, and create a durable foothold for future runs.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill persists raw research files and appends supplemental WebSearch results to disk, but this persistence is not clearly surfaced in the top-level manifest. Saving user queries, results, and appended supplements can expose sensitive interests, research topics, or collected links to other local users or future processes.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The skill manages persistent user preferences like FUN_LEVEL and ELI5_MODE in a local config file, which is unrelated to core research and creates cross-session state. Persistent profile mutation can be abused to shape future outputs without the user's awareness.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The security section claims the skill does not access user accounts, yet earlier instructions rely on local auth state such as AUTH_TOKEN, CT0, FROM_BROWSER, xurl auth, and browser-cookie scanning. That contradiction is dangerous because it downplays credential-adjacent behavior and could lead users to authorize access they would otherwise decline.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill installs a SessionStart hook that automatically runs a shell command every time a session begins, even though the stated purpose is content research across public sources. Automatic shell execution expands the attack surface because it enables local command execution unrelated to the core research function, and any compromise of the referenced script or environment variables could lead to unintended code execution.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script invokes `claude` with `--dangerously-skip-permissions`, explicitly disabling the CLI's normal safety and permission checks for both runs. Because the topic string is user-controlled and the called skills may access files, network resources, or other privileged actions, this creates a real risk of unintended high-impact operations executing without approval; the research-oriented skill context increases risk because it is designed to fetch and process broad external content.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The evaluation environment forwards a broad set of live credentials, including social-media and scraping tokens, into subprocesses that execute repository code from different revisions. Because the script checks out and runs code from candidate/baseline revisions, any malicious or compromised revision can read and exfiltrate these secrets, making the benchmarking context materially more dangerous.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The CLI exposes setup and authentication flows that can write configuration and initiate device/account auth, which is materially broader than the advertised 'research recent posts' behavior. In an agent-skill context, hidden auth/setup side effects increase the risk of unexpected credential handling or account changes when a user expects read-only research behavior.

Description-Behavior Mismatch

Low

Confidence: 93% confidence
Finding: When --save-dir is used, the code always writes a full raw dump to disk, including all items and transcripts, even if stdout is using a compact render. This creates a sensitive data exposure risk because users may believe they are saving only a summarized report while the tool stores a much richer artifact on disk.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Bundling setup and authentication capabilities into a research skill violates least surprise and broadens the attack surface for credential capture, config tampering, and unintended account linking. This is more dangerous in agent environments because a caller may invoke the skill for passive research without realizing it can perform state-changing setup actions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This code retrieves the Chrome encryption secret from macOS Keychain and is explicitly designed to decrypt browser cookies. For a skill described as public social/web research, local credential extraction is unjustified and creates a clear credential-harvesting capability inconsistent with the stated purpose.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The implementation exceeds the manifest's research scope by reading a local browser cookie database, decrypting protected values, and returning session material. That mismatch is dangerous because it hides sensitive credential-access behavior inside a skill users would reasonably expect to only gather public information.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The file explicitly implements browser cookie extraction from local Firefox, Chrome, and Safari stores to obtain authentication material for third-party services. Reading reusable auth cookies from browser databases is credential access behavior and exceeds a normal 'research posts from public sources' capability, especially because it enables account takeover or impersonation if the extracted cookies are reused.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The WSL helper scans /mnt/c/Users to enumerate Windows user profiles and locate Firefox data on the host OS. That is intrusive host inspection for credential discovery, and in this skill context it increases risk because it reaches beyond the current environment into another OS user's browser state without a clear, narrow necessity.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code automatically extracts authentication cookies from local browsers and maps them into runtime credentials for X and Truth Social. That is a sensitive credential-access capability beyond ordinary 'research' behavior, and the default path intentionally prefers silent extraction from Firefox/Safari with no user-facing consent or disclosure, which materially increases abuse potential.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This module substantially exceeds the stated skill purpose of researching what people said in the last 30 days by building person-profile analytics, repo intelligence, release summaries, README harvesting, and star enrichment. That scope expansion increases privacy and data-mining risk, especially when the agent may analyze individuals and repositories beyond a user's clear request.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The token resolution logic performs local credential discovery from both environment variables and the GitHub CLI, even though the skill is framed as a research tool. In agent contexts, harvesting ambient credentials is high risk because it can quietly elevate privileges and cause authenticated external requests on behalf of the user or host environment.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file introduces Pinterest as a data source even though the declared skill description enumerates a fixed set of supported sources and does not mention Pinterest. That mismatch creates a transparency and policy-boundary issue: users and reviewers may believe only the listed sources are queried, while the skill can transmit user topics to an additional third-party service. In this context, hidden or undeclared data sources are more concerning because the skill performs external research on user-supplied topics.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: This code explicitly reads Safari's local cookie store and extracts named cookies for a target domain, which can include active authentication/session tokens. For a skill described as researching public discussion across platforms, accessing local browser cookies is unrelated to the stated purpose and creates a credential-harvesting capability that could enable account takeover or unauthorized access to third-party services.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: This setup module performs GitHub authentication and retrieves API keys from ScrapeCreators, which materially exceeds the skill's stated purpose of researching recent public discussion. Expanding into account-auth and key provisioning increases trust and attack surface, especially because users may not expect a research skill to broker third-party credentials.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The code can automatically install `yt-dlp` via Homebrew during setup, which changes the user's system state without an explicit confirmation in this file. For a research-oriented skill, silent package installation is an overbroad capability that could be abused to alter the environment or normalize unreviewed setup actions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code reads a GitHub personal access token from the local `gh` CLI and sends it to `api.scrapecreators.com` for authentication. Transmitting a local PAT to a third party is highly sensitive and not justified by the stated research-only skill description, creating risk of credential misuse, oversharing of token scope, and unexpected account linkage.

Intent-Code Divergence

Low

Confidence: 78% confidence
Finding: The function documentation suggests it opens the browser for a GitHub device auth flow, but the implementation opens whatever `verification_uri` the remote service returns. That mismatch can mislead users and, if the upstream service is compromised or altered, could send users to an unexpected site for phishing or credential capture.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code explicitly instructs operators to supply a Truth Social bearer token sourced from browser developer tools, which strongly suggests reuse of an authenticated session token rather than a properly scoped API credential. That creates risk of unauthorized account/session use, token leakage, and collection of data under credentials unrelated to the skill's stated public research purpose.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal