Last30 Deep Research
AdvisoryAudited by VirusTotal on Mar 24, 2026.
Overview
Type: OpenClaw Skill Name: last30 Version: 1.1.1 The skill provides research capabilities by querying multiple web APIs and executing an external CLI tool named 'bird' to fetch X/Twitter data. It is classified as suspicious because it passes sensitive credentials (AUTH_TOKEN and CT0) as command-line arguments in scripts/research.py, which can expose them to other users on the system via process monitoring. Additionally, the skill requires broad network access and file system write permissions (to ~/Documents/Last30Days), which are high-risk capabilities that, while functional for the stated purpose, meet the threshold for a suspicious classification under the provided criteria.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you set AUTH_TOKEN and CT0, the local `bird` command receives X/Twitter session credentials that could potentially be misused or exposed on the local system.
The skill can use X/Twitter cookie/session values and passes them to an external CLI. Those credentials may carry broader account authority than a scoped search-only token.
AUTH_TOKEN = os.environ.get("AUTH_TOKEN", "") ... cmd = ["bird", "search", f"{topic}", "-n", str(limit), "--auth-token", AUTH_TOKEN, "--ct0", CT0, "--plain"]Only set these variables if you trust the local `bird` installation and ideally use a low-risk account. The skill should prefer scoped OAuth/API access, avoid passing secrets as command-line arguments, and document exact credential handling.
A missing or unexpected `bird` binary could make X search fail, or a different binary on PATH could receive sensitive cookies.
Despite no install/provenance spec and requirements that list only python3 and node, the script invokes a `bird` helper. That helper is not pinned or clearly declared, yet it may receive X/Twitter credentials.
No install spec — this is an instruction-only skill.
Declare `bird` as a required dependency, document its source and installation method, pin or verify it where possible, and warn users before enabling X/Twitter cookie-based search.
Research topics and generated briefings remain in your Documents folder until you delete them.
The skill persistently stores research outputs on disk. This is disclosed and purpose-aligned, but it may retain sensitive topics or summaries.
Every run saves a `.md` file to `~/Documents/Last30Days/` with the full briefing.
Avoid using the skill for sensitive topics unless local retention is acceptable, and periodically review or delete saved reports.
Users may misunderstand what credentials are required before running the skill.
The documentation contains a conflicting credential message: it claims a zero-API-key setup while also requiring a Brave API key.
this port uses free public APIs ... for a lightweight, zero-API-key setup ... `BRAVE_API_KEY` env var must be set
Clarify the documentation so it consistently states that BRAVE_API_KEY is required and AUTH_TOKEN/CT0 are optional for X/Twitter.