X Alpha Scout
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s X/Twitter scanning purpose is coherent, but it asks for raw X session credentials and an external CLI that are not declared in the registry metadata.
Review this skill before installing. Its core function is understandable, but you should only use it if you are comfortable installing the `bird` CLI and giving it X/Twitter session credentials. Prefer a dedicated low-privilege X account, avoid sharing primary account cookies, and do not enable any daily automation or Discord/Telegram delivery unless you explicitly configure and trust those channels.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing users may provide account session credentials that could allow access to their X/Twitter account beyond simple public search if mishandled by the CLI or agent environment.
The skill asks for raw X/Twitter session credentials. The provided registry metadata declares no required env vars and no primary credential, so this high-impact account access is under-disclosed.
export X_AUTH_TOKEN="your_twitter_auth_token" export X_CT0="your_twitter_ct0_cookie" ... bird whoami --auth-token "$X_AUTH_TOKEN" --ct0 "$X_CT0"
Declare the X credential requirements in metadata, explain exactly how the token and CT0 cookie are used, prefer least-privilege/API-based authentication where possible, and advise users to use a dedicated account or revoke credentials after use.
Users must trust and maintain an external binary that will receive their X/Twitter credentials.
The skill depends on a separately installed external CLI, but the registry requirements list no required binaries and there is no install spec.
Install bird — X/Twitter CLI tool ... brew install steipete/tap/bird ... Or download from releases ... https://github.com/steipete/bird/releases
List `bird` as a required binary, pin or document the trusted source/version, and tell users to review the CLI before passing account credentials to it.
If a user configures automation around this skill, the agent may repeatedly access X/Twitter and send reports to external channels.
The wording suggests recurring scheduled activity and outbound delivery, but the artifacts do not include a scheduler or persistence mechanism.
Feature 1: Daily Alpha Report (Auto at 00:00 UTC) ... Deliver: Send to user via their preferred channel (Discord, Telegram, etc.)
Make recurring execution explicitly opt-in, document where reports are sent, and require user confirmation before enabling scheduled delivery.