ADHD X Bookmark Analyzer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is purpose-aligned, but it deserves review because it uses logged-in X access, may rely on a browser session, stores bookmark archives, and can send summaries to external chat channels.
Install only if you are comfortable giving the agent access to your X bookmarks. Prefer the documented bird CLI path over browser-session access, verify the CLI package and OAuth permissions, use private delivery channels or file-only mode for sensitive data, and monitor any cron job or local archive it creates.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the browser-session path is used, the agent may operate with the user's logged-in X account context, not just a narrow bookmark-read token.
This instructs the agent to use an authenticated browser session for X. That is broader than a clearly scoped read-only bookmark credential, even though the stated purpose is only to read bookmarks.
"Option B: Browser Session (Advanced)" ... "Log into X in Chrome/Safari" ... "OpenClaw's browser tool can access your session"
Prefer the bird CLI/OAuth path with the narrowest available permissions, avoid browser-session access unless necessary, and confirm the agent must not post, delete, DM, or change account data.
Private or sensitive bookmarked content could appear in Discord, Slack, Telegram, or any configured webhook destination.
The skill can send bookmark summaries to third-party messaging channels or webhooks. This is disclosed and purpose-aligned, but it moves potentially private bookmark content outside the local workspace.
"Channel delivery (Discord, Slack, Telegram, or file-only)" and "export BOOKMARK_DISCORD_WEBHOOK=\"https://discord.com/api/webhooks/...\""
Use file-only mode or a private channel for sensitive bookmarks, protect webhook URLs, and rotate any webhook that may have been exposed.
Anyone or any agent with access to the workspace may be able to review the saved bookmark archive and search index.
The skill creates persistent local snapshots and an index of bookmark content. This is disclosed and useful for search, but it stores a reusable record of private reading interests.
"Bookmarks are saved locally in your workspace" ... "bookmark-archive/" ... "Searchable Index"
Keep the workspace private, periodically delete old archive files if they are no longer needed, and avoid archiving highly sensitive bookmarks.
A scheduled job may continue processing and sending bookmark summaries after the initial setup if the user forgets it is enabled.
The skill documents an optional recurring schedule that can repeatedly fetch and send bookmark summaries. This is user-directed and disclosed, but it creates ongoing automation.
"openclaw cron add --every \"1d\" --at \"09:00\" --message \"Analyze my X bookmarks from the last 24 hours and post summary to Discord\""
Only add the cron job if recurring reports are desired, review where it posts, and remove or pause the schedule when no longer needed.
Installing the wrong or compromised npm package could expose the X account access used by the CLI.
The setup uses a user-directed, unpinned global npm install for the X bookmark CLI. This is central to the skill's purpose, but the artifacts do not pin or verify the package.
"npm install -g bird-cli"
Verify the bird-cli package source and maintainer, consider pinning a known-good version, and review its requested OAuth permissions before logging in.