ADHD X Bookmark Analyzer
v1.0.1Automatically scrapes, categorizes, and summarizes your X bookmarks into actionable insights delivered to your preferred messaging channel for easy review.
⭐ 1· 351·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the runtime instructions: fetch X bookmarks, categorize, summarize, and deliver to a channel or archive locally. However, the registry metadata declares no required binaries or env vars while the SKILL.md expects the 'bird' CLI or browser session access and local archive writes. That mismatch (documented runtime dependencies not reflected in metadata) is unexpected and should be reconciled.
Instruction Scope
Instructions explicitly tell the agent to run `bird bookmarks`, read bookmark data, write a local archive under ~/.openclaw/workspace/skills/..., and optionally deliver summaries to external webhooks or OpenClaw messaging. The SKILL.md also suggests using OpenClaw's browser tool to access your logged-in session (browser cookies). Reading browser sessions/cookies and using external webhooks are legitimate for this task but increase exposure; the SKILL.md does not clearly limit what session data is accessed or how it's protected.
Install Mechanism
This is an instruction-only skill (no install spec), which is low risk. However the docs recommend installing `bird-cli` via npm (`npm install -g bird-cli`). Because the skill relies on a third-party npm CLI, users should vet that package (its publisher, permissions, and behavior) before installing. The skill itself does not automate this install.
Credentials
Registry metadata lists no required env vars, but the SKILL.md expects users to optionally set webhook URLs (BOOKMARK_DISCORD_WEBHOOK, BOOKMARK_SLACK_WEBHOOK). Those are sensitive secrets and the skill will read them from the environment at runtime. The documentation claims credentials for X are stored by bird CLI in ~/.bird/ and that the skill 'never handles raw tokens directly' — reasonable if you trust bird-cli — but the SKILL.md also offers a browser-cookie option which could expose more data. The skill will also write archives to the user's workspace; that filesystem access is not declared in metadata.
Persistence & Privilege
always is false (normal). The skill recommends adding a scheduled cron job for regular runs, which is user-controlled. Scheduled/autonomous runs combined with external delivery channels (webhooks) increase the impact of any misconfiguration, but the skill does not request permanent platform-wide privileges or modify other skills.
Scan Findings in Context
[no_regex_findings] expected: The repository is instruction-only (SKILL.md and rules) so the regex scanner found nothing; absence of matches is expected but provides limited assurance.
What to consider before installing
Before installing or enabling this skill: 1) Verify you want a tool to read and archive your X bookmarks and to optionally post summaries to external channels. 2) Vet the recommended bird-cli npm package (publisher, source repo, and permissions) before installing; consider running bird CLI commands manually to confirm behavior. 3) Prefer bird CLI OAuth over pasting cookies; avoid giving the agent direct access to browser sessions if you can. 4) If you must configure delivery, store webhook URLs in a secrets manager or environment variables and limit their scope; test with file-only delivery first. 5) Confirm you are comfortable with the skill writing archives to ~/.openclaw/workspace/... and review those files periodically. 6) If you want higher assurance, ask the author for a link to the bird-cli project and a minimal example run or request the skill include an explicit list of required binaries/env vars in its registry metadata. If the skill later includes code that sends data to unknown endpoints or requests additional credentials, treat it as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk9776p2zmd9kdkf6sy0y0h0van81yh6y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.