Tweet Summarizer Lite
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned, but it requires full Twitter/X session cookies and an external CLI for a read-only tweet lookup workflow, so users should review it carefully before use.
Install only if you are comfortable giving this skill and the bird CLI access to Twitter/X session cookies. Consider using a dedicated account, rotate cookies after use, and periodically clean the saved tweet data folder.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill means trusting the local scripts and the bird CLI with credentials that could access or act on the user's Twitter/X account if mishandled.
The skill needs full browser session cookies for a read-only tweet summarizer. That is high-impact, over-scoped account authority even though the code does not show credential logging or exfiltration.
Twitter session cookies (`AUTH_TOKEN` and `CT0`). These are **sensitive credentials** that grant full access to your Twitter account.
Use a dedicated or low-risk Twitter/X account if possible, rotate cookies after use, and prefer a scoped read-only API token if available. The registry metadata should clearly declare these credential requirements.
A changed or compromised external CLI could affect how tweet requests and session cookies are handled.
The skill depends on a globally installed third-party CLI that is not pinned in the provided artifacts. The code later passes AUTH_TOKEN and CT0 to this CLI.
npm install -g @steipete/bird
Install bird only from a trusted source, review or pin the version where possible, and avoid sharing Twitter/X cookies beyond the intended local environment.
Tweet URLs provided to the agent will be sent through the local bird CLI to Twitter/X using the user's session cookies.
The script invokes a local CLI with the user-supplied tweet URL or ID and passes session-cookie environment variables. It avoids shell execution and includes a timeout, so this is purpose-aligned but still worth noticing.
subprocess.run(['bird', 'read', url_or_id, '--plain'], env={**os.environ, 'AUTH_TOKEN': auth_token, 'CT0': ct0}, capture_output=True, text=True, timeout=10)Only ask the skill to fetch tweets you intend to retrieve with your Twitter/X session, and keep the bird CLI trusted and up to date.
Saved tweets may remain on disk and could include sensitive or protected-account content.
Fetched tweet text is written to a persistent local index for later search and summarization.
data_dir = Path.home() / '.openclaw' / 'workspace' / 'data' / 'tweets-lite' ... tweets[tweet_id] = { 'text': tweet_text, 'timestamp': ... }Review and delete saved tweet data when no longer needed, especially if fetching private, protected, or sensitive content.