Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Last30 Deep Research

v1.1.1

Deep research across Reddit, X/Twitter, Hacker News, YouTube, Polymarket, and the web from the last 30 days. Synthesizes findings into a grounded, cited brie...

0· 211·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (30-day multi-source research) matches the code: it queries Reddit, Hacker News, Polymarket, Brave Search and optionally X via the 'bird' CLI. However there are mismatches: SKILL.md claims a "zero-API-key setup" in one place but also declares BRAVE_API_KEY as required for web searches; the package lists required binaries (python3, node) but the Python script only uses python3 and an external 'bird' binary (not declared). Requiring node appears unnecessary for the stated functionality.
Instruction Scope
Runtime instructions and script are focused on web/social search and synthesis. They do write output to disk (~/Documents/Last30Days/) on every run; that persistence is documented but should be noticed. SKILL.md also references a separate 'summarize' skill for YouTube transcripts but does not declare that dependency or how it's invoked. The script will call an external 'bird' CLI when X auth vars are set; the SKILL.md notes optional AUTH_TOKEN/CT0 but the binary dependency for bird is missing from the declared required binaries.
Install Mechanism
This is instruction-only plus a shipped Python script; there is no install specification that downloads and executes remote archives. That reduces install-time risk (nothing is automatically fetched/installed by the skill itself).
!
Credentials
The skill requires BRAVE_API_KEY (reasonable for Brave Web Search) and optionally AUTH_TOKEN and CT0 for X — those cookies can be sensitive and are optional but will be used if present. The manifest also requires 'node' for no clear reason. The declaration that this is zero-API-key conflicts with the actual BRAVE_API_KEY requirement. Requesting X cookie auth (AUTH_TOKEN/CT0) is proportional only if the user intends to enable X searches; it should be optional and clearly explained.
Persistence & Privilege
The script saves every run to ~/Documents/Last30Days/{topic}-{date}.md (auto-save). The skill is not always-enabled and does not request elevated platform privileges. Persisting files to the user's Documents folder is expected for a research export, but users should be aware and may want to change the save path or review what is written.
What to consider before installing
This skill largely does what it says (searches public APIs and synthesizes findings) but there are multiple packaging inconsistencies you should consider before installing: - BRAVE_API_KEY is required for web and YouTube searches; despite an earlier claim of "zero-API-key setup," the skill needs that key. If you don't want to provide a Brave key, web/YouTube searches will be skipped. - The skill will optionally use AUTH_TOKEN and CT0 (X cookies) if set — those are sensitive session cookies. Only set them if you trust the environment and intend to allow X searches. If you don't set them, X searches are skipped. - The manifest lists 'node' as a required binary but the included script appears to be Python-only; conversely, the script calls the external 'bird' CLI for X searches but 'bird' is not listed as a required binary. Confirm whether you need to install 'bird' and drop the unused 'node' requirement. - The skill auto-saves results to ~/Documents/Last30Days/, creating files for every run. If you prefer not to persist data there, change SAVE_DIR in the script or run in a sandboxed environment. - The SKILL.md references using a separate 'summarize' skill for YouTube transcripts but does not declare or automate that dependency; if you rely on transcript summarization, verify how that integration works. Recommendations: - Inspect scripts/research.py locally to confirm no hidden endpoints; the code shown uses only public endpoints (Reddit, hn.algolia, Brave, Polymarket) and a call to the 'bird' CLI. If you are not comfortable, run the script without setting AUTH_TOKEN/CT0 to avoid providing X cookies. - Provide a Brave API key with minimal scope and rotate it if you stop using the skill. - If you want to proceed, ask the author to correct the manifest (remove node if unused, add 'bird' if required, and clarify the zero-key claim) or patch the script to match your desired behavior. Confidence: medium — the issues look like sloppy packaging and documentation rather than malicious intent, but the mismatches (credentials, binaries, saving behavior) warrant caution.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📰 Clawdis
Binspython3, node
EnvBRAVE_API_KEY
latestvk978gbq5wbs84rk7b1tmfw68bx83gnfq
211downloads
0stars
2versions
Updated 3w ago
v1.1.1
MIT-0

last30 — Research Any Topic from the Last 30 Days

Attribution: Simplified port of mvanhorn/last30days-skill (v2.9.5) by @mvanhorn. Original uses ScrapeCreators API for Reddit/TikTok/Instagram; this port uses free public APIs (Reddit JSON, HN Algolia, Brave Search) for a lightweight, zero-API-key setup.

Research any topic across Reddit, X/Twitter, Hacker News, YouTube, Polymarket, and the web. Surface what people are actually discussing, recommending, debating, and betting on right now.

Trigger Phrases

  • /last30 [topic]
  • research [topic]
  • what's trending in [topic]
  • [topic] vs [topic]
  • /last30days [topic]

Prerequisites

  • BRAVE_API_KEY env var must be set (web search)
  • AUTH_TOKEN + CT0 env vars (optional, for X search via bird)
  • summarize skill available for YouTube transcripts

Parse User Intent

Before running any tools, parse the input:

  1. TOPIC: What they want to learn about
  2. QUERY_TYPE:
    • RECOMMENDATIONS — "best X", "top X", "what X should I use"
    • NEWS — "what's happening with X", "X news"
    • COMPARISON — "X vs Y", "X versus Y"
    • GENERAL — anything else

Display your parsing:

📰 Researching: {TOPIC}
Type: {QUERY_TYPE}
Sources: Reddit, X, Hacker News, YouTube, Polymarket, Web

Starting research (2-5 min)...

Quick Mode

Use --quick for faster, fewer results:

  • 10 results per source instead of 25

Deep Mode

Use --deep for comprehensive research:

  • 40 results per source
  • Full synthesis

Usage Examples

/last30 AI video tools
/last30 best CRM software
/last30 figma vs canva
/last30 openai news --deep
/last30 rust vs go --quick

How It Works

  1. Reddit — queries reddit.com/r/[subreddit]/search.json by relevance
  2. X/Twitter — uses bird (xurl) for recent posts
  3. Hacker News — queries hn.algolia.com API
  4. YouTube — runs summarize skill for video transcripts
  5. Polymarket — queries polymarket.com API for active prediction markets related to the topic
  6. Web — Brave Search API

Results are scored by engagement signals, cross-platform convergence is detected, and a synthesis is generated with inline citations.

Output Format

📰 Research: {TOPIC}
Date: {date} | Sources: Reddit, X, HN, YouTube, Web

## Key Findings
- [3-5 bullet points with citations]

## What People Are Saying
[Synthesis of top findings across all sources]

## YouTube Insights
[Video titles, channels, key moments]

## Reddit Discussions
[Top threads, top comments, upvote counts]

## X/Twitter Perspective
[Key posts, handles, engagement]

## Polymarket Insights
[Active prediction markets, consensus odds, question clarity]

## Web Findings
[News, blogs, tutorials discovered]

## Stats
- Reddit: {n} results
- X: {n} results
- HN: {n} results
- YouTube: {n} results
- Polymarket: {n} results
- Web: {n} results

Saved to: ~/Documents/Last30Days/{topic-slug}.md

Environment Variables

VariableRequiredPurpose
BRAVE_API_KEYYesBrave Search for web results
AUTH_TOKENNoX/Twitter cookie auth for bird
CT0NoX/Twitter cookie auth for bird

Auto-Save

Every run saves a .md file to ~/Documents/Last30Days/ with the full briefing. Filename: {topic-slug}-{date}.md

Comments

Loading comments...