Bird Twitter
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Twitter/X wrapper, but it requires raw browser session cookies and delegates public account actions to an unverified external bird CLI without clear confirmation guardrails.
Only install this if you already trust the `bird` CLI and are comfortable giving it your Twitter/X browser session cookies. Confirm every tweet, reply, follow, or unfollow before execution, keep AUTH_TOKEN and CT0 out of chats/logs, and revoke the session if the cookies may have been exposed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could post, reply, follow, or unfollow from the user's Twitter/X account if the user request is ambiguous or the agent acts too broadly.
The skill exposes commands that can publish public content and change the user's social graph, but the instructions do not define a confirmation or preview requirement before those high-impact actions.
`bird tweet <text>` | Post a new tweet ... `bird reply <url> <text>` | Reply to a tweet ... `bird follow <user>` ... `bird unfollow <user>`
Require explicit user confirmation with the exact tweet/reply text or account target before any posting, replying, following, or unfollowing action.
Anyone or any process that obtains these cookie values may be able to act as the logged-in Twitter/X account until the session is revoked or expires.
The skill asks for raw browser session cookies and documents browser-profile-related cookie handling, which grants account-level authority rather than a narrowly scoped OAuth permission.
Copy: `auth_token` → `AUTH_TOKEN`; `ct0` → `CT0` ... Supports: `chromeProfile`, `firefoxProfile`, `cookieTimeoutMs`
Use this only with a trusted local environment, avoid sharing or logging the cookie values, consider a dedicated account, and revoke/logout sessions if the tokens may have been exposed.
The safety of the skill depends on the locally installed `bird` executable; a malicious or wrong binary could misuse the user's Twitter/X session.
The actual Twitter/X implementation is delegated to an external `bird` binary, but the supplied artifacts do not identify, pin, or verify that binary's source while also requiring sensitive session cookies.
Source: unknown; Homepage: none; Required binaries: bird; No install spec — this is an instruction-only skill.
Install `bird` only from a source you independently trust, verify its version/provenance, and avoid using this skill with unknown or unreviewed binaries.