birdx
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
birdx is mostly coherent with its stated Twitter/X purpose, but it directly extracts and caches your Chrome X/Twitter session cookies and even runs that auth step during install.
Review before installing. This tool is intended to use your existing Chrome X/Twitter login, but that means it extracts and caches session cookies. Do not run the installer unless you are comfortable with that access, and consider deleting the cookie cache after use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using auth gives the tool access to the user’s logged-in X/Twitter session, which could expose or reuse account session credentials.
The CLI reads Chrome’s Safe Storage secret from macOS Keychain, opens Chrome’s cookie database, and extracts X/Twitter auth_token and ct0 cookies. That is direct use of the user’s browser session credentials.
pw = execSync('security find-generic-password -w -s "Chrome Safe Storage" -a "Chrome"' ...); ... 'Library/Application Support/Google/Chrome/Default/Cookies' ... "SELECT name, encrypted_value FROM cookies WHERE host_key LIKE '%x.com' AND name IN ('auth_token', 'ct0')"Only use this if you intentionally want the tool to access your logged-in X/Twitter cookies. Prefer a scoped API/OAuth workflow when possible, and avoid running it on shared machines.
A local file may contain enough X/Twitter session data to reuse the account session until it expires or is refreshed.
The tool stores the full cookie string plus ct0/authToken session material in a reusable local JSON cache. The artifacts do not show restrictive file permissions or encryption for that cache.
const COOKIE_FILE = path.join(process.env.HOME, '.config/bird/birdx-cookies.json'); ... fs.writeFileSync(COOKIE_FILE, JSON.stringify({ ...cookies, savedAt: Date.now() }, null, 2)); ... return { cookieStr, ct0, authToken, source: 'chrome-disk' };Protect or delete ~/.config/bird/birdx-cookies.json when not needed, and the publisher should set restrictive permissions and document exactly what is stored and for how long.
A user who runs the installer triggers browser session extraction as part of installation, not only after a later explicit auth command.
The install script does not just install the CLI; it immediately executes the auth command that reads Chrome cookies from disk.
echo "🔑 Running birdx auth (reads Chrome cookies from disk)..." ... "$BIRDX_JS" auth
Run the auth step manually only after reviewing the script, or the publisher should remove automatic auth from install and require an explicit user action.
The behavior of installed dependencies depends on what npm resolves at install time.
The installer fetches npm dependencies at install time without versions pinned in the artifact or a lockfile shown in the provided files. This is common for CLIs, but it matters more because the same tool handles browser session cookies.
npm install --prefix "$HOME/clawd" ws jsdom x-client-transaction-id --save-exact --silent
Prefer reviewed, pinned dependency versions with a lockfile, especially before running code that accesses browser credentials.