ClawHub

last30days

Security checks across malware telemetry and agentic risk

Overview

This is a real research/watchlist skill, but it has under-disclosed credential sharing, automatic package installation during setup, broad local persistence, and configurable outbound notifications that deserve review before install.

Install only if you are comfortable with a high-capability research agent that writes local research history, uses multiple third-party APIs, and may incur provider costs. Avoid running setup --github unless you understand that it can transmit your local GitHub CLI token to ScrapeCreators; prefer explicit, narrowly scoped API keys. Review ~/.config/last30days/.env, webhook delivery settings, and saved files under ~/Documents/Last30Days and ~/.local/share/last30days regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (32)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return env_token
    # Fallback: try gh CLI
    try:
        result = subprocess.run(
            ["gh", "auth", "token"],
            capture_output=True, text=True, timeout=5,
        )
Confidence
91% confidence
Finding
result = subprocess.run( ["gh", "auth", "token"], capture_output=True, text=True, timeout=5, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares only high-level allowed tools, but its instructions clearly enable broad shell, file, environment-variable, network, and persistent-storage access. That creates a meaningful capability gap for reviewers and users, who may not realize the skill can read local files, consume secrets from the environment, write persistent data, and invoke external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The advertised purpose is topic research, but the skill also performs persistent knowledge accumulation, watchlist management, brief archival, and local context updates, which materially expand its data-handling behavior. This mismatch is dangerous because users may invoke a seemingly transient research tool without understanding that it can store history, preferences, and outputs on disk over time.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs writing to `~/.config/last30days/.env` to toggle modes like ELI5 and fun level, which is unrelated to the core one-shot research task and creates persistent side effects on the user's system. Any skill that can modify configuration files can silently alter future agent behavior or be extended to tamper with other settings, especially because these writes are triggered by ordinary conversational phrases.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This section adds person-profile and repository profiling behavior that materially expands the skill from topical last-30-days research into contributor and project intelligence gathering. In an agent setting, that scope creep increases privacy and misuse risk because it enables profiling of individuals' activity, projects, and relationships beyond the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The star-enrichment logic parses arbitrary candidate text and performs live lookups against any detected GitHub repo references. That broadens data collection beyond the user's direct query and can cause unintended outbound requests based on untrusted content, which is especially risky in an agent pipeline handling mixed or attacker-influenced inputs.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill obtains credentials via the external `gh` CLI, which is a privileged capability not implied by the manifest's research description. This increases the attack surface because the skill can inherit local developer credentials and use them for network activity without an explicit, narrowly scoped secret-passing mechanism.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The setup flow reads the user's GitHub authentication token from the local `gh` CLI and sends it to `api.scrapecreators.com` for PAT-based authentication. This is dangerous because it exfiltrates a highly sensitive credential to a third party unrelated to local setup, potentially granting broad access to the user's GitHub account depending on token scope.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The auto-setup path can install `yt-dlp` via Homebrew during first-run setup, which modifies the host system beyond the skill's stated research/search purpose. Silent package installation expands the trust boundary and could surprise users or violate least-privilege expectations for an agent skill.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The module expands from search/transcript retrieval into fetching and attaching user comments from a third-party service, which increases data collection and external sharing beyond the apparent core skill purpose. In an agent context, this creates a privacy and data-governance risk because user queries and selected video identifiers are transmitted to another provider without clear minimization, disclosure, or opt-in.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The docstring materially understates the module’s behavior by claiming yt-dlp-only search/transcript extraction while the code also performs direct YouTube scraping and calls a third-party API. This kind of capability mismatch is dangerous in agent skills because reviewers, operators, or policy controls may approve the skill under incorrect assumptions about network destinations and data handling.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script contains outbound webhook delivery functionality that is not reflected in the stated skill description, creating a transparency and data exfiltration concern. Users may believe the skill only performs research, while it can also transmit topic names and finding counts to external endpoints configured through settings.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Support for arbitrary HTTPS webhook posting expands the skill beyond its stated research purpose and enables data to be sent to any externally controlled URL. In an agent environment, this increases the risk of covert exfiltration or unauthorized integrations because the destination is configurable and not tightly scoped.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The changelog documents that the skill automatically saves complete research briefings to `~/Documents/Last30Days/` on every run, but it does not indicate meaningful user consent, privacy warnings, or data minimization. Persisting potentially sensitive prompts, research topics, summaries, and follow-up suggestions to a predictable local path can expose private activity to other local users, backups, sync services, or later compromise.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The alias and activation examples are broad enough that ordinary user phrases like 'last30 ...' could trigger the skill in contexts where the user did not intend to launch a high-capability research workflow. Because the skill can read and write local state and call external tools, accidental activation increases the chance of unintended data collection, persistence, or network activity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to read and update a persistent context file at session start without any explicit user warning or consent. In a research skill, this makes the context more dangerous because normal informational queries can silently modify local state, accumulate user preferences, and create privacy and integrity risks over repeated use.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The instruction to research "ANY topic" across many platforms creates an extremely broad trigger surface for a skill, increasing the chance it activates on normal conversation or ambiguous requests. Overly broad activation can cause unintended data collection, external querying, and execution of persistence-capable commands without the user realizing a specialized skill has taken control.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Allowing activation from a bare topic string like `[topic]` means ordinary user text can be interpreted as a command to launch research. In this skill, that activation is especially risky because it leads to foreground script execution, external searches, and local result storage, so accidental triggering has real privacy and side-effect implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that agent mode automatically saves raw research data to `~/Documents/Last30Days/` without any user-facing warning or consent. Persisting raw outputs from social platforms and web sources can store sensitive queries, handles, or research subjects on disk, creating avoidable privacy and retention risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The core execution command includes `--save-dir=~/Documents/Last30Days` and `--store`, which persist findings and raw results locally without a clear warning about retention. Because the skill can be triggered broadly, this increases the chance that user interests, topics, and gathered content are silently written to disk and retained beyond the session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code intentionally saves a full debug artifact to disk whenever --save-dir is used, including all items, all sources, and transcripts, while the user-facing output may only show a compact view. This creates a confidentiality risk because sensitive research data, transcripts, or provider-returned content can be persisted unexpectedly in plaintext files and later exposed through local access, backups, logs, or artifact collection.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code accepts X credentials from config/environment and forwards them to a Node subprocess without any notice, consent, or narrowing of what is exposed. Passing secrets into a child process increases the attack surface because any compromise, logging, crash dump, or unexpected dependency behavior in the Node path can access them.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This path performs authenticated network-backed searches against X through a Node subprocess, but there is no user-facing warning in this file that user queries and credentials may be sent to Twitter/X. In an agent skill context, silent outbound transmission of research topics to a third party creates privacy and trust risks, especially when authentication cookies/tokens are involved.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The ScrapeCreators enrichment path sends a Reddit post URL to a third-party service using an API token, which creates a real data-sharing boundary outside the local/runtime trust domain. Even though the data is likely public Reddit content, this can leak user research targets, usage patterns, and possibly sensitive investigation topics without an explicit warning or consent mechanism, making it a legitimate privacy/security concern in an agent skill that may process arbitrary user queries.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reranking prompt sends candidate titles, snippets, dates, and matched query context to an external LLM provider. If candidate data contains sensitive, private, copyrighted, or policy-restricted content, this creates an unintended data disclosure channel to a third party, especially because the skill aggregates content from many external platforms and may process user-directed topics at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal