Bookmark Intelligence
WarnAudited by ClawScan on May 10, 2026.
Overview
Bookmark Intelligence has a coherent purpose, but it needs review because it asks for full X session cookies and runs unsafe shell commands on bookmark links, especially in background daemon mode.
Review carefully before installing. Do not provide your main X account cookies or enable daemon mode unless you trust the code and the external tools. Prefer a sandbox or throwaway account, confirm where LLM data is sent, and wait for the shell-command handling and metadata/credential declarations to be fixed.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bookmarked tweet or linked URL could potentially cause commands to run on the user's machine with the user's permissions.
URLs are extracted from bookmark text and inserted directly into a shell command. A malicious or specially crafted bookmarked URL can contain shell metacharacters such as command substitution, causing local command execution when the analyzer runs.
const urlRegex = /https?:\/\/[^\s]+/g; ... const cmd = `curl -L -s -A "Mozilla/5.0" --max-time 10 "${url}" | head -c 100000`; const content = execSync(cmd, ...);Do not run this skill in daemon mode until fixed. Replace shell-string execution with execFile/spawn argument arrays or a safe HTTP library, validate URL schemes/hosts, and avoid piping through the shell.
Anyone or any process that obtains these cookies can access the user's X account as the user, not just read bookmarks.
The skill requires raw X session cookies with full account access, while the registry metadata declares no primary credential or required environment variables. This is broader than bookmark-only access and should be explicitly scoped and declared.
`auth_token` → Copy the Value ... `ct0` → Copy the Value ... **These cookies are like your password** - they give full access to your X account
Use a scoped OAuth/read-only mechanism if available, clearly declare AUTH_TOKEN and CT0 as sensitive credentials, document revocation steps, and consider using a dedicated low-risk X account.
A compromised, replaced, or unexpected global CLI could receive sensitive account cookies or change what the skill does.
The skill instructs users to install global, unpinned CLI packages, and bird is then given the user's X session cookies. These required binaries are not declared in the registry requirements.
npm install -g bird ... npm install -g pm2
Declare required binaries in metadata, pin package names/versions, document provenance, avoid global installs where possible, and avoid passing full session cookies to third-party CLIs.
Private bookmarks, linked page contents, and project details may be sent to an LLM provider depending on the user's OpenClaw configuration.
The LLM prompt includes tweet text, fetched article content, and the user's configured project context before being sent through the OpenClaw model provider path.
const cmd = `openclaw ask --model gpt-4o-mini --format json "$(cat ${tempFile})" ...`;Tell users exactly which model/provider receives the data, allow local/offline analysis, and let users exclude sensitive bookmarks or project context.
Private bookmarks and AI-generated summaries remain on disk and could influence future workflows if that directory is reused as context.
The skill persistently stores full bookmark records and AI analysis in the configured knowledge-base directory, which defaults to a life/resources path.
const record = { bookmark, analysis, processedAt: new Date().toISOString() }; writeFileSync(filepath, JSON.stringify(record, null, 2));Review the storage path, retention, and backups; avoid syncing this directory if bookmarks are sensitive; label stored web-derived content as untrusted.
Once enabled, the skill continues fetching bookmarks and processing links without further manual action.
The skill can be configured as a PM2 background daemon that restarts and runs hourly.
script: './monitor.js', ... autorestart: true, ... cron_restart: '0 * * * *'
Only enable daemon mode intentionally, monitor PM2 logs/status, and stop or uninstall the daemon when it is no longer needed.
Users may misunderstand whether the skill is free/open-source, proprietary, or paid, and which payment method or license terms actually apply.
The documentation describes paid, license-gated use while also claiming broad MIT usage rights; other supplied docs also describe proprietary licensing and differing payment options. This can mislead users about costs, rights, and activation.
After payment, activate your license: `node scripts/license.js activate YOUR-LICENSE-KEY` ... `MIT - Use it however you want!`
Align all documentation, package metadata, and marketplace listing on one license, one pricing model, and the exact supported payment methods before distribution.