frigatebird
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent but needs review because it can run an external npm tool that uses your X browser session cookies to read, post, follow, and automate account changes.
Review this carefully before installing. If you use it, run it only with a dedicated X account or isolated browser profile, inspect and pin the npm package, and require explicit confirmation before any post, reply, follow, unfollow, retweet, like, article, or batch list change.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused, the tool or agent could act through an existing X session and access or change the user's account.
The skill explicitly relies on X session cookies, auth tokens, and browser profiles, while the metadata declares no credentials or config paths; this is high-impact account access without clear boundaries for which session data is used.
running against X via browser session cookies ... Auth/cookies: `--auth-token`, `--ct0`, `--cookie-source`, `--chrome-profile`, `--firefox-profile`
Use a separate test X account or dedicated browser profile, avoid passing main-session tokens unless you fully trust the package, and require explicit approval before any account action.
An agent could accidentally or autonomously post, reply, follow/unfollow, retweet, like, or make bulk list changes on the user's X account.
The skill exposes public posting and account mutation commands, including batch list automation, but does not define confirmation, dry-run, rate, or scope limits for these high-impact actions.
Mutation flows: `frigatebird tweet "<text>"` ... `reply` ... `article` ... Feature Coverage ... `like`, `retweet`, `follow`, `unfollow` ... `batch`
Confirm every mutation with the user, preview exact text and affected accounts/lists, and avoid batch operations unless the user explicitly approves the input file and intended changes.
The actual npm package code was not available in the artifacts, so users cannot verify from this submission how it handles cookies, profiles, or account actions.
The skill directs users to install or execute an external npm package, but the provided review context has no code files, no install spec, no homepage, and an unknown source; this matters because the package is meant to handle browser-session credentials and account mutations.
Global install: `npm install -g frigatebird`; Local use: `npx frigatebird <command>`
Inspect and pin the npm package version before use, prefer a local reviewed install over ad-hoc npx execution, and verify its source and credential handling.