Research any topic from the last 30 days on Reddit + X + Web, synthesize findings, and write copy-paste-ready prompts. Use when the user wants recent social/web research on a topic, asks "what are people saying about X", or wants to learn current best practices. Requires OPENAI_API_KEY and/or XAI_API_KEY for full Reddit+X access, falls back to web search.
Security Analysis
medium confidenceThe skill's code and instructions largely match its stated purpose (recent social/web research), but the SKILL.md contains highly prescriptive prompts and a flagged prompt-injection pattern — something to review before trusting it with API keys or autonomous runs.
Name/description match the code: the package performs Reddit + X + web research for the last 30 days. The files implement searching, enrichment, normalization, deduplication, caching, and model selection. Requested capabilities (OPENAI/XAI keys) are exactly what the code uses and the SKILL.md documents them as optional.
SKILL.md instructs the agent to run the bundled Python script, create a config at ~/.config/last30days/.env, and to avoid asking the user about the target tool before research. The instructions are prescriptive and include rules (e.g., 'USE THE USER'S EXACT TERMINOLOGY', 'DO NOT output "Sources:" list') that influence agent behavior. A prompt-injection pattern was detected in SKILL.md; while the file otherwise remains within the research scope, those persuasive directives merit manual review because the SKILL.md is the runtime instruction set the agent will follow.
No install spec is provided (instruction-only install), so nothing is downloaded during install. The skill ships Python code that the agent will execute locally; that is expected for this kind of skill. There are no remote installers or downloads in the manifest.
The only credentials the code uses are OPENAI_API_KEY and XAI_API_KEY (both optional per SKILL.md). The code reads/writes only skill-specific config/cache under the user's home (~/.config/last30days, ~/.cache/last30days). No unrelated secrets or system credentials are requested.
always is false and the skill does not request elevated privileges or modify other skills. It will create local config and cache files under the user's home directory, which is ordinary for a local tool. Autonomous invocation is allowed (platform default) — combine that with the prescriptive SKILL.md when deciding whether to allow it to run without supervision.
Guidance
This skill appears to do what it says: local Python code searches Reddit/X (when you provide API keys) and the web, then synthesizes findings. Before installing or running it: 1) Review SKILL.md and the shipped Python files yourself (or in a sandbox) because the skill will execute code locally and follows the SKILL.md as its runtime instructions. 2) The skill can create ~/.config/last30days/.env and ~/.cache/last30days — store any API keys there only if you trust the source; prefer environment variables or ephemeral keys. 3) The pre-scan flagged a prompt-injection pattern in SKILL.md; inspect the full SKILL.md for any hidden or manipulative directives (especially ones that tell the agent to ignore user input or hide sources). 4) If you plan to let agents invoke this skill autonomously, consider running it first in mock mode (--mock) or in an isolated/containerized environment and avoid granting unnecessary API keys until you are comfortable with its outputs. 5) If you need higher assurance, request the skill author/source or run the code review in a secure environment. The overall footprint is coherent with the described purpose, but the prescriptive/injection-like instructions justify caution.
Latest Release
v1.0.0
Initial release: Research any topic from last 30 days via Reddit + X + Web
More by @zats
Published by @zats on ClawHub
