X Bookmarks Archiver
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: x-bookmark-archiver Version: 1.0.0 The OpenClaw AgentSkills skill bundle 'x-bookmark-archiver' is classified as benign. Its core functionality involves executing the `bird CLI` to fetch X (Twitter) bookmarks, making HTTPS requests to expand `t.co` URLs, and optionally calling the OpenAI API for AI-generated summaries (if `OPENAI_API_KEY` is provided). All file system operations are confined to the OpenClaw workspace and a designated state directory. The `SKILL.md` provides clear instructions for the user and does not contain any prompt injection attempts against the agent. All observed behaviors are directly aligned with the stated purpose of archiving X bookmarks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can execute the local bird CLI and retrieve bookmarks from the X account authenticated in that tool.
The skill invokes a local shell command to run the bird CLI and fetch bookmarks. The command is fixed and purpose-aligned, but users should know it executes an authenticated local tool.
const output = execSync(`bird bookmarks -n ${FETCH_COUNT} --json`, { encoding: 'utf8', timeout: 30000 });Run it only after verifying the bird CLI installation and understanding which X account is authenticated.
The skill can read bookmark data from the authenticated X account, and optional OpenAI use may consume API quota.
The skill relies on delegated X access through bird and may use an OpenAI API key, even though registry metadata declares no primary credential. This is aligned with the stated purpose but is sensitive authority.
# Ensure bird CLI is installed and authenticated bird --version # Set OpenAI API key (optional, for AI summaries) export OPENAI_API_KEY="sk-..."
Use only accounts and API keys you intend to grant for this purpose, and revoke or unset them when not needed.
Bookmark URLs and associated tweet text may be processed by OpenAI if the API key is set.
When OPENAI_API_KEY is present, the skill sends the bookmarked URL and tweet text to OpenAI to generate metadata. This provider call is disclosed and purpose-aligned, but it moves bookmark content outside the local machine.
URL: ${url}
Tweet: ${originalText || 'N/A'} ... fetch('https://api.openai.com/v1/chat/completions', {Leave OPENAI_API_KEY unset for local-only fallback summaries, or review OpenAI's data handling terms before enabling AI summaries.
Generated archive files may contain untrusted web or tweet-derived content and may remain available to future workspace searches or agent tasks.
The skill persists bookmark-derived and AI-generated content as markdown in the OpenClaw workspace. This is the intended archive behavior, but the content originates from external/social sources and may later be reused as agent context.
const frontmatter = `--- ... link: ${bookmark.url} ... ${metadata.summary}\n`; ... fs.writeFileSync(finalFilename, frontmatter);Review generated markdown before treating it as trusted knowledge, and delete or exclude sensitive archives when appropriate.
Installing the wrong or compromised external CLI could expose the X account data that bird can access.
The skill depends on an external third-party CLI that is not bundled or pinned in the artifacts. The dependency is central to the purpose, but users must trust it before authenticating it to X.
**bird CLI** - Install from [steipete/bird](https://github.com/steipete/bird)
Verify the bird repository and release before installation, and prefer pinned or checksummed releases where possible.