ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cleans and optimize Xbio cleaner

v1.0.0

X/Twitter CLI for reading, searching, and posting via cookies or Sweetistics.

0· 1.3k·0 current·0 all-time
by@soanai
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description and SKILL.md describe an X/Twitter CLI (bird). However the skill name ('cleans and optimize Xbio cleaner') does not match that purpose. The declared requirement (binary 'bird' and a brew formula for steipete/tap/bird) is coherent for a Twitter CLI, but the mismatched skill name and unknown homepage (bird.fast) are odd and worth verifying.
!
Instruction Scope
Runtime instructions tell the agent to use browser cookies (Firefox/Chrome) and optionally the Sweetistics API. Accessing browser cookies implies reading local browser stores or calling a helper binary that does so — yet no config paths or permissions are declared. The SKILL.md also references an env var (SWEETISTICS_API_KEY) that the skill metadata does not list. That mismatch means the skill may access credentials or local data without them being declared.
Install Mechanism
Install is via a Homebrew formula: steipete/tap/bird. Using brew is common, but this is a third‑party tap (not necessarily homebrew/core). Third‑party taps can run arbitrary install scripts; inspect the formula repository before installing.
!
Credentials
SKILL.md documents SWEETISTICS_API_KEY as an auth source and browser cookies as a default auth method, but requires.env is empty and no config paths are declared. That omission is an inconsistency: the skill may rely on or read secrets/config that aren't declared up front.
Persistence & Privilege
always:false (no forced global presence) and no install-time actions beyond the brew formula are declared. The skill does not claim to modify other skills or system-wide settings.
What to consider before installing
This skill looks like a wrapper for the 'bird' CLI but has several red flags. Before installing: (1) verify the brew formula source (steipete/tap) on GitHub and read the formula to see what it installs; (2) confirm what the 'bird' binary will do with your browser cookies and where it reads them from — only grant access if you trust it; (3) expect to provide SWEETISTICS_API_KEY if you use that engine, and don't supply secrets unless you trust the service; (4) be wary of the mismatched skill name and unknown homepage — they may indicate sloppy packaging or a misleading listing. If unsure, run the CLI in a sandboxed environment or prefer a skill with explicit declared env/config requirements and a well-known source.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🐦 Clawdis
Binsbird

Install

Install bird (brew)
Bins: bird
brew install steipete/tap/bird
latestvk9738jqqwbzv18mvxxd3tq5r0180p84j
1.3kdownloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@soanai
latest
Download

bird

Use bird to read/search X and post tweets/replies.

Quick start

  • bird whoami
  • bird read <url-or-id>
  • bird thread <url-or-id>
  • bird search "query" -n 5

Posting (confirm with user first)

  • bird tweet "text"
  • bird reply <id-or-url> "text"

Auth sources

  • Browser cookies (default: Firefox/Chrome)
  • Sweetistics API: set SWEETISTICS_API_KEY or use --engine sweetistics
  • Check sources: bird check

Comments

Loading comments...