ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Last30 Deep Research

v1.1.1

Deep research across Reddit, X/Twitter, Hacker News, YouTube, Polymarket, and the web from the last 30 days. Synthesizes findings into a grounded, cited brie...

0· 147·0 current·0 all-time
by@ralph-oei
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (30-day multi-source research) matches the code: it queries Reddit, Hacker News, Polymarket, Brave Search and optionally X via the 'bird' CLI. However there are mismatches: SKILL.md claims a "zero-API-key setup" in one place but also declares BRAVE_API_KEY as required for web searches; the package lists required binaries (python3, node) but the Python script only uses python3 and an external 'bird' binary (not declared). Requiring node appears unnecessary for the stated functionality.
Instruction Scope
Runtime instructions and script are focused on web/social search and synthesis. They do write output to disk (~/Documents/Last30Days/) on every run; that persistence is documented but should be noticed. SKILL.md also references a separate 'summarize' skill for YouTube transcripts but does not declare that dependency or how it's invoked. The script will call an external 'bird' CLI when X auth vars are set; the SKILL.md notes optional AUTH_TOKEN/CT0 but the binary dependency for bird is missing from the declared required binaries.
Install Mechanism
This is instruction-only plus a shipped Python script; there is no install specification that downloads and executes remote archives. That reduces install-time risk (nothing is automatically fetched/installed by the skill itself).
!
Credentials
The skill requires BRAVE_API_KEY (reasonable for Brave Web Search) and optionally AUTH_TOKEN and CT0 for X — those cookies can be sensitive and are optional but will be used if present. The manifest also requires 'node' for no clear reason. The declaration that this is zero-API-key conflicts with the actual BRAVE_API_KEY requirement. Requesting X cookie auth (AUTH_TOKEN/CT0) is proportional only if the user intends to enable X searches; it should be optional and clearly explained.
Persistence & Privilege
The script saves every run to ~/Documents/Last30Days/{topic}-{date}.md (auto-save). The skill is not always-enabled and does not request elevated platform privileges. Persisting files to the user's Documents folder is expected for a research export, but users should be aware and may want to change the save path or review what is written.
What to consider before installing
This skill largely does what it says (searches public APIs and synthesizes findings) but there are multiple packaging inconsistencies you should consider before installing: - BRAVE_API_KEY is required for web and YouTube searches; despite an earlier claim of "zero-API-key setup," the skill needs that key. If you don't want to provide a Brave key, web/YouTube searches will be skipped. - The skill will optionally use AUTH_TOKEN and CT0 (X cookies) if set — those are sensitive session cookies. Only set them if you trust the environment and intend to allow X searches. If you don't set them, X searches are skipped. - The manifest lists 'node' as a required binary but the included script appears to be Python-only; conversely, the script calls the external 'bird' CLI for X searches but 'bird' is not listed as a required binary. Confirm whether you need to install 'bird' and drop the unused 'node' requirement. - The skill auto-saves results to ~/Documents/Last30Days/, creating files for every run. If you prefer not to persist data there, change SAVE_DIR in the script or run in a sandboxed environment. - The SKILL.md references using a separate 'summarize' skill for YouTube transcripts but does not declare or automate that dependency; if you rely on transcript summarization, verify how that integration works. Recommendations: - Inspect scripts/research.py locally to confirm no hidden endpoints; the code shown uses only public endpoints (Reddit, hn.algolia, Brave, Polymarket) and a call to the 'bird' CLI. If you are not comfortable, run the script without setting AUTH_TOKEN/CT0 to avoid providing X cookies. - Provide a Brave API key with minimal scope and rotate it if you stop using the skill. - If you want to proceed, ask the author to correct the manifest (remove node if unused, add 'bird' if required, and clarify the zero-key claim) or patch the script to match your desired behavior. Confidence: medium — the issues look like sloppy packaging and documentation rather than malicious intent, but the mismatches (credentials, binaries, saving behavior) warrant caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk978gbq5wbs84rk7b1tmfw68bx83gnfq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis
Binspython3, node
EnvBRAVE_API_KEY

Comments