ClawHub

BNBot

v1.5.0

The safest and most efficient way to automate Twitter/X — BNBot operates through a real browser session with 40+ AI-powered CLI tools. Grow your Twitter with...

1· 490·1 current·1 all-time
byJack Lee@jackleeio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (BNBot automates Twitter/X via a browser session) matches the requirements: an npm package that installs a bnbot-cli binary and instructions to start a local WebSocket daemon and use a Chrome extension. Nothing requested (env vars, unrelated binaries) is inconsistent with that purpose.
Instruction Scope
SKILL.md stays on-topic: it instructs installing the CLI, starting a background 'bnbot serve' daemon listening on port 18900, using the CLI commands, and installing/enabling a Chrome extension. It permits reading local files (images) to base64-encode and send them and offers commands that download external content (WeChat, TikTok, Xiaohongshu). Those behaviors are expected for this tool but expand the data surface (local files, browser session, and network transfers).
Install Mechanism
Install is via npm (package: bnbot-cli) which is a standard, expected mechanism for a CLI distributed on npm. This is traceable but still worth inspecting (npm packages can contain arbitrary code).
Credentials
The skill requests no environment variables or credentials in the SKILL.md metadata. The Chrome extension and CLI will implicitly rely on your browser session/cookies (to control X) and local files (images), which is consistent with the stated functionality. No unrelated secrets are requested.
Persistence & Privilege
The skill instructs you to run a persistent daemon (nohup bnbot serve) that listens on TCP port 18900. That is normal for this type of tool but increases the local attack surface (network-accessible service, logs, running background process). The skill does not request elevated platform privileges or 'always: true'.
Assessment
This skill appears coherent with its purpose, but take these precautions before installing or running it: 1) Inspect the npm package (bnbot-cli) source or the linked GitHub repo and check the package publisher and recent release history; run 'npm audit' and review install scripts for unexpected actions. 2) Review the Chrome extension's permissions and privacy policy before installation — extensions may access cookies and page contents needed to operate on your logged-in X account. 3) When starting the daemon, verify it binds to localhost (127.0.0.1) rather than 0.0.0.0 and consider firewall rules to restrict access to port 18900. 4) Avoid running it on machines containing sensitive data or using your primary browser profile; use a dedicated browser profile or isolated environment. 5) Be cautious when allowing the tool to upload local files or download external content; check logs (/tmp/bnbot.log) for unexpected network targets. If you want a stronger assurance, either review the package's source code or run the CLI in a controlled VM/container first.

Like a lobster shell, security has layers — review code before you run it.

latestvk974wk1t8e8qxdt0t08wq5dnjs8324me

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
OSmacOS · Linux · Windows
Binsbnbot-cli

Install

Install bnbot-cli (npm)
Bins: bnbot-cli
npm i -g bnbot-cli

Comments