Yarn - Control and Access Threads.com via the CLI
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The CLI can access private Threads account views and act as the logged-in user if the agent or user supplies these credentials/profile paths.
The CLI is documented to authenticate with raw Threads session cookies or local browser profile/cookie database data. This is high-impact account access, especially because the registry metadata declares no primary credential or config path.
`--session-id <token>` | Threads sessionid cookie ... `--csrf-token <token>` ... `--chrome-profile-dir <path>` | Chrome/Chromium profile directory or cookie DB path
Use a dedicated browser profile or limited session for this tool, avoid exposing raw cookies when possible, and revoke/log out the session if you stop using it.
A mistaken or over-broad agent action could publish content, replies, or quotes from the user's Threads account.
The skill exposes commands that create posts, replies, and quotes on Threads, but the artifacts do not include explicit confirmation, preview, or rollback guidance before publishing.
`yarn-threads post "text"` ... `yarn-threads reply <url-or-code> "text"` ... `yarn-threads quote <url-or-code> "text"`
Require explicit user confirmation showing the exact text, target URL, and account before any post, reply, or quote command is run.
The actual npm package will handle the Threads session/profile access, so its behavior and updates are outside this artifact review.
The skill depends on a globally installed npm CLI that is not included in the reviewed artifacts. This is central to the stated purpose, but the installed package is unpinned and not reviewed here.
`npm install -g yarn-threads-cli`
Verify the npm package and source repository before installing, prefer a pinned version, and consider installing it in an isolated environment.