Bird X CLI
v1.0.0Command-line tool for reading, searching, and posting Twitter content using bird/birdc with multiple authentication options.
⭐ 0· 15·0 current·0 all-time
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description says it's a CLI for reading/posting on X, which is reasonable. However the SKILL.md metadata requires anyBins: ["bird", "birdc"] and gives the reason "Bird routing daemon CLI — only useful when bird/birdc is installed". 'birdc' is commonly the control client for the BIRD BGP daemon (unrelated to Twitter), so this looks like a naming/provenance mix-up. The source/homepage are unknown, increasing the risk that the declared binaries don't match the intended Twitter client.
Instruction Scope
Runtime instructions are short and only tell the agent to call the external 'bird' CLI for actions (read/search/post). They do not tell the agent to read arbitrary system files or env vars. However the skill lists 'Browser cookies (default: Firefox/Chrome)' as an auth source — that implies the CLI will access browser cookie stores (sensitive data) even though the skill's runtime instructions do not explicitly state how cookies are obtained or whether the agent itself will access them.
Install Mechanism
No install spec and no code files — instruction-only skill. This has the lowest installation risk because nothing in the skill package will be written or executed on install. The binary 'bird' must already be present on PATH for the skill to work.
Credentials
The metadata declares no required env vars, but SKILL.md documents an optional Sweetistics API via SWEETISTICS_API_KEY (not declared). It also references browser cookie access without declaring which cookie paths or permissions are needed. Missing declaration of optional credentials and unspecified access to browser storage are disproportionate and make it unclear what secrets or files the skill will touch.
Persistence & Privilege
No elevated persistence requested (always: false) and normal autonomous invocation is allowed. The skill does not request system-wide configuration changes or permanent presence.
What to consider before installing
This skill is ambiguous and has incomplete provenance. Before installing: 1) Verify which 'bird' binary it expects — there are multiple unrelated 'bird' projects (a Twitter client vs the BIRD BGP daemon). Installing a similarly named but unintended binary could be dangerous. 2) Prefer a known upstream/homepage or source code; ask the author for the project's URL or a verified release. 3) Understand authentication: the skill may access your browser cookie store (sensitive) or accept SWEETISTICS_API_KEY; confirm whether the agent or the CLI accesses cookies and which file paths are used. 4) If you must use it, obtain the 'bird' CLI from a trusted source and run it in a sandbox first. 5) If you do not want any tool reading browser cookies, do not install this skill until its cookie-access behavior is clarified. Additional info that would raise confidence to 'benign': a clear upstream repo/homepage, documentation showing which 'bird' client is required, and an explicit declaration of optional env vars (e.g., SWEETISTICS_API_KEY) and any file paths accessed.Like a lobster shell, security has layers — review code before you run it.
latest
bird
Use bird to read/search X and post tweets/replies.
Quick start
bird whoamibird read <url-or-id>bird thread <url-or-id>bird search "query" -n 5
Posting (confirm with user first)
bird tweet "text"bird reply <id-or-url> "text"
Auth sources
- Browser cookies (default: Firefox/Chrome)
- Sweetistics API: set
SWEETISTICS_API_KEYor use--engine sweetistics - Check sources:
bird check
Comments
Loading comments...