X Knowledge Base
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its X-bookmarks-to-Obsidian purpose, but it requires raw X account tokens and hands them to an unspecified external bird CLI that the registry does not declare.
Review this skill before installing. Only use it if you trust the bird CLI and the MiniMax/Jina endpoints, understand the X tokens being provided, and are comfortable with bookmark content being stored locally and optionally sent to external AI services. Back up your Obsidian vault and consider rotating X credentials after testing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these X tokens are mishandled, exposed, or given to an untrusted binary, they may provide access beyond just reading bookmarks.
The skill requires sensitive X credential values and passes them to an external CLI. This is purpose-related, but the registry metadata declares no required env vars or primary credential, so the account authority is under-declared.
BIRD_AUTH_TOKEN="${BIRD_AUTH_TOKEN:-}" ... BIRD_CT0="${BIRD_CT0:-}" ... bird --auth-token "$BIRD_AUTH_TOKEN" --ct0 "$BIRD_CT0" bookmarksUse the least-privileged/revocable X credential method available, verify and trust the bird CLI before use, rotate tokens after testing, and update the skill metadata to declare these credentials clearly.
A user may install or run an unreviewed third-party CLI with sensitive X account credentials.
The runtime depends on a bird CLI that is not included, sourced, pinned, or declared as a required binary in the provided metadata, yet it is the component that receives the X tokens.
if ! command -v bird >/dev/null 2>&1; then ... echo "❌ 找不到 bird CLI,請先安裝" ... fi
Document the exact bird CLI source, version, and install method; pin or verify it; and avoid passing raw session credentials to unspecified dependencies.
External AI providers may receive the content of saved bookmarks or fetched articles.
When MINIMAX_API_KEY is set, local bookmark/article content is sent to the configured MiniMax endpoint for summarization.
文章內容:\n{truncated} ... requests.post(MINIMAX_ENDPOINT, headers=headers, json=data, timeout=45)Do not enable MiniMax summarization for sensitive bookmarks unless you accept the provider’s data handling; leave MINIMAX_API_KEY unset to skip AI summaries.
Saved trend data can reveal interests and may bias future recommendations if bookmark tags or content are noisy or manipulated.
The skill persists an interest profile and recommended keywords derived from bookmark tags.
TRENDS_FILE = Path("/home/ubuntu/clawd/memory/interest-trends.json") ... "recommended_keywords": keywords ... TRENDS_FILE.write_text(...)Review or delete the interest-trends file periodically, and limit which bookmark files are included in trend analysis.
The skill can bulk-edit local Markdown/bookmark files, which may affect an Obsidian vault or synced notes.
The enhancer scans Markdown files under the bookmarks directory and writes AI summaries or cross-links back into those files.
for f in BOOKMARKS_DIR.rglob("*.md"): ... path.write_text(content + links_block, encoding="utf-8")Confirm BOOKMARKS_DIR and OBSIDIAN_DIR before running, and keep backups or version control for the vault.