last30days

This module is not overtly malware by itself (no execution of untrusted code beyond a normal dependency import, and no direct exfiltration/network calls are present). However, it performs high-sensitivity credential extraction by targeting x.com auth cookies (auth_token and ct0) from env/CLI and optionally from local browser profiles, then returns a reusable Cookie header to the caller. The main security concerns are (1) credential-handling risk due to returning session secrets and (2) supply-chain trust in the dynamically imported cookie-access dependency.

SUSPICIOUS. The skill's purpose and visible workflow are mostly coherent for recent-trend research, and there is no direct evidence of credential theft or malicious exfiltration. However, it relies on executing an opaque vendored engine sourced from a personal GitHub project and processes untrusted external content with write capability, so the overall risk is medium rather than benign.