Last30 Deep Research
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you set AUTH_TOKEN and CT0, the local `bird` command receives X/Twitter session credentials that could potentially be misused or exposed on the local system.
The skill can use X/Twitter cookie/session values and passes them to an external CLI. Those credentials may carry broader account authority than a scoped search-only token.
AUTH_TOKEN = os.environ.get("AUTH_TOKEN", "") ... cmd = ["bird", "search", f"{topic}", "-n", str(limit), "--auth-token", AUTH_TOKEN, "--ct0", CT0, "--plain"]Only set these variables if you trust the local `bird` installation and ideally use a low-risk account. The skill should prefer scoped OAuth/API access, avoid passing secrets as command-line arguments, and document exact credential handling.
A missing or unexpected `bird` binary could make X search fail, or a different binary on PATH could receive sensitive cookies.
Despite no install/provenance spec and requirements that list only python3 and node, the script invokes a `bird` helper. That helper is not pinned or clearly declared, yet it may receive X/Twitter credentials.
No install spec — this is an instruction-only skill.
Declare `bird` as a required dependency, document its source and installation method, pin or verify it where possible, and warn users before enabling X/Twitter cookie-based search.
Research topics and generated briefings remain in your Documents folder until you delete them.
The skill persistently stores research outputs on disk. This is disclosed and purpose-aligned, but it may retain sensitive topics or summaries.
Every run saves a `.md` file to `~/Documents/Last30Days/` with the full briefing.
Avoid using the skill for sensitive topics unless local retention is acceptable, and periodically review or delete saved reports.
Users may misunderstand what credentials are required before running the skill.
The documentation contains a conflicting credential message: it claims a zero-API-key setup while also requiring a Brave API key.
this port uses free public APIs ... for a lightweight, zero-API-key setup ... `BRAVE_API_KEY` env var must be set
Clarify the documentation so it consistently states that BRAVE_API_KEY is required and AUTH_TOKEN/CT0 are optional for X/Twitter.