ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

last30days

v3.0.2-beta

Multi-query social search with intelligent planning. Agent plans queries when possible, falls back to Gemini/OpenAI when not. Research any topic across Reddi...

0· 22·0 current·0 all-time
byMatt Van Horn@mvanhorn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (multi-query social research) align with required binaries (python3, node) and the primary credential (SCRAPECREATORS_API_KEY). The optional env vars and vendored Node X client match the declared supported sources (Reddit, X, YouTube, TikTok, Instagram, web backends).
Instruction Scope
Runtime instructions read bundled reference files and run the included Python scripts; they persist research to a local SQLite DB (~/.local/share/last30days) and optionally save files to ~/Documents/Last30Days and ~/.local/share/last30days/briefs. The skill also instructs first-run setup that can write API keys to ~/.config/last30days/.env. These behaviors are within the expected scope for a research/watchlist tool but are notable because they create persistent local artifacts and may store API tokens if you opt in.
Install Mechanism
No external install/url downloads are specified; the repository bundles a vendored Node module for X search and Python scripts. No remote install-from-URL or archive extraction is used, lowering install risk.
Credentials
Primary required env var is SCRAPECREATORS_API_KEY which is justified. Several optional env vars (OPENAI_API_KEY, XAI_API_KEY, OPENROUTER_API_KEY, PARALLEL_API_KEY, BRAVE_API_KEY, APIFY_API_TOKEN, AUTH_TOKEN, CT0, BSKY_*, etc.) are declared and make sense for the listed backends. Caution: AUTH_TOKEN/CT0 are X/Twitter session tokens — if provided the skill will use them for authenticated X GraphQL requests. Storing any account tokens in ~/.config/last30days/.env is optional but sensitive; only provide credentials you intend to use for read-only research.
Persistence & Privilege
The skill persists data locally (SQLite DB, saved report files) and documents watchlist scheduling guidance (cron). It is not marked always:true and disable-model-invocation:true prevents autonomous agent invocation. The persistence and local file writes are expected for a watchlist/briefing tool but are persistent privileges you should be aware of.
Assessment
This skill appears to be what it claims (a multi-source social research tool), but before installing: 1) Review the bundled scripts if you are concerned about sensitive data storage — the skill saves full research dumps (including transcripts) to ~/.local/share/last30days and optionally ~/Documents/Last30Days. 2) Only provide API keys or session tokens you trust to be used for read-only research; avoid supplying account session tokens (AUTH_TOKEN/CT0) unless you understand they allow authenticated X access. 3) The first-run setup can write keys to ~/.config/last30days/.env — if you prefer not to have persisted keys, use environment variables per-session instead. 4) The vendored Node module runs via node (ensure node is up-to-date) and may perform network queries to the declared endpoints; run the included --diagnose and inspect scripts (especially vendor/bird-search and scripts/lib/*) before first use. 5) The skill will not autonomously run (disable-model-invocation: true), but it does provide watchlist automation instructions (cron); scheduling those jobs is a manual step. If you want additional assurance, run the scripts locally in a sandbox and inspect the saved outputs and config files before handing over any credentials.
scripts/lib/vendor/bird-search/lib/runtime-query-ids.js:50
Environment variable access combined with network send.
scripts/lib/vendor/bird-search/lib/twitter-client-base.js:38
Environment variable access combined with network send.
!
scripts/lib/vendor/bird-search/lib/runtime-query-ids.js:1
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

betavk97ajrj22kjbkq0r2nnqgs6yqx84at7platestvk976h4mc4z8jhqgh7d06601gt584bwby

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis
Binsnode, python3
EnvSCRAPECREATORS_API_KEY
Primary envSCRAPECREATORS_API_KEY

Comments