Last 30 Days

PassAudited by ClawScan on May 1, 2026.

Overview

The skill appears to do the recent Reddit/X/web research it advertises, but it runs included Python code and may use local OpenAI or xAI API keys to contact external services.

This skill looks purpose-aligned, but review the bundled Python before use, especially if you plan to add OpenAI or xAI API keys. Use web-only mode or avoid sensitive research topics if you do not want queries sent to external providers.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI05: Unexpected Code Execution

What this means

Using the skill runs local code that performs the research workflow and network requests.

Why it was flagged

The skill explicitly instructs running bundled Python code as part of its normal research workflow.

Skill content

python3 ./scripts/last30days.py "$ARGUMENTS" --emit=compact 2>&1

Recommendation

Only run it from a trusted skill package, and review the bundled scripts before using API keys with it.

Low

#ASI03: Identity and Privilege Abuse

What this means

If configured, your provider API keys may be used to make Reddit/X research requests and could incur provider usage costs.

Why it was flagged

The code reads optional OpenAI and xAI API keys from the environment or ~/.config/last30days/.env.

Skill content

'OPENAI_API_KEY': os.environ.get('OPENAI_API_KEY') or file_env.get('OPENAI_API_KEY'),
'XAI_API_KEY': os.environ.get('XAI_API_KEY') or file_env.get('XAI_API_KEY')

Recommendation

Use scoped provider keys where possible, keep ~/.config/last30days/.env private, and remove keys if you only want web-only mode.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Research topics may be shared with external providers such as OpenAI or xAI when their API keys are available.

Why it was flagged

The user's research topic is included in requests to an external provider API for Reddit discovery.

Skill content

OPENAI_RESPONSES_URL = "https://api.openai.com/v1/responses"
...
"input": REDDIT_SEARCH_PROMPT.format(
    topic=topic,

Recommendation

Avoid using the skill for private or sensitive topics unless you are comfortable sending those queries to the configured providers.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill is understandable from the included artifacts, but the registry metadata is less complete than ideal for a code-running, API-key-capable integration.

Why it was flagged

The registry metadata gives limited provenance and does not declare the optional provider credentials described in SKILL.md.

Skill content

Source: unknown
Homepage: none
Required env vars: none
Env var declarations: none
Primary credential: none

Recommendation

Treat it as an unverified third-party skill and review the included code before adding API keys.