ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yarn - Control and Access Threads.com via the CLI

v0.1.3

Interact with Threads (by Meta) via the yarn-threads-cli. Use when the user wants to read their home feed, likes, saved posts, or a specific thread; look up...

0· 423·0 current·0 all-time
byJeizzon Viana Mendes@jeizzon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md and reference document match the name/description: this is a CLI client for Threads (read/post/search). However, the skill metadata declares no required binaries or install steps while the instructions explicitly ask users to run 'npm install -g yarn-threads-cli' and to use a browser profile or session cookies for auth. The absence of a declared required binary (npm or yarn-threads) is a minor metadata inconsistency.
Instruction Scope
Instructions are focused on Threads functionality (home, read, post, etc.) and describe three auth methods (Chrome/Firefox profile or manual session tokens). These auth steps require access to browser cookies/session tokens, which are sensitive but necessary for this CLI to work; the SKILL.md asks users to extract cookies from DevTools or point the CLI at a browser profile. The instructions do not direct the agent to read unrelated system files, but they do enable access to local browser profile paths or raw session cookies if the user chooses those options.
Install Mechanism
There is no platform-level install spec (this is instruction-only). The README tells users to npm install -g yarn-threads-cli (a public npm package with a linked GitHub repo). Installing a global npm package is a normal way to obtain a CLI but carries the usual risks of running third-party code (verify package source, maintainer, and releases).
Credentials
The functionality legitimately requires Threads authentication (sessionid, csrftoken, ds_user_id or browser profile access). The skill metadata does not request unrelated credentials or environment variables. Requesting browser cookies/session tokens is sensitive but proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges, nor does it claim to modify other skills or system-wide config. Autonomous invocation is allowed by default (normal for skills) but not combined with other concerning flags.
Assessment
This skill appears to be what it says: a CLI client for Threads that needs Threads authentication. Before installing or using it: 1) Verify the npm package and linked GitHub repo (maintainer, recent commits, open issues) because 'npm install -g' runs third-party code on your machine. 2) Avoid pasting full session cookies or tokens into third-party services—prefer pointing the CLI at a local browser profile only if you trust the tool and run it locally. 3) If you must use manual tokens, consider using a disposable/limited account and be prepared to rotate/revoke cookies if compromised. 4) Note the minor metadata inconsistency: the skill metadata doesn't list 'npm' or the CLI as required binaries even though the docs instruct installing them—this is likely an oversight but worth confirming with the publisher. If you want higher assurance, inspect the yarn-threads-cli source on the linked GitHub repo before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9720bkmmavsgdp15str7pepn981z02e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments