Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bird.Backup
v1.0.0X/Twitter CLI for reading, searching, posting, and engagement via cookies.
⭐ 0· 45·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name and description claim a Twitter/X CLI using cookie auth; the skill only requires the 'bird' binary and documents commands that are consistent with such a CLI (reading, search, posting, engagement). Requiring the 'bird' binary and providing brew/npm install options is proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs use of cookie-based auth and describes passing cookies (--auth-token, --ct0) or pointing at browser cookie stores (--cookie-source, --chrome-profile-dir). Those instructions are consistent with the tool's purpose but involve accessing sensitive data (browser cookie DBs, ct0/auth cookies). The skill itself is instruction-only and does not embed code, but using the CLI as instructed can cause access to local browser profile files and cookies.
Install Mechanism
Install options are Homebrew (steipete/tap/bird) and npm (@steipete/bird). Both are plausible for distributing a CLI. Note: npm global installs execute unreviewed package code at install time; Homebrew taps are safer when coming from a trusted tap. No high-risk arbitrary URL downloads or extract steps are present.
Credentials
Registry metadata lists no required environment variables, but SKILL.md documents optional env vars and config file locations (BIRD_TIMEOUT_MS, BIRD_COOKIE_TIMEOUT_MS, BIRD_QUOTE_DEPTH, ~/.config/bird/config.json5, ./ .birdrc.json5) and expects cookies/ct0 tokens for auth. Requesting cookies or browser profile paths is reasonable for cookie-based auth but is sensitive — the skill does not require unrelated credentials and does not ask for broad system secrets beyond cookies.
Persistence & Privilege
always is false and there is no indication the skill modifies other skills or system-wide settings. The skill is user-invocable and can be invoked autonomously (platform default) but it doesn't request elevated or persistent privileges in its metadata.
Assessment
This skill is a thin wrapper around an external 'bird' CLI and appears coherent with its description, but it requires access to Twitter/X cookies to act on your behalf. Before installing or using it: 1) Verify the upstream project/repository (steipete/bird) and inspect the Homebrew tap and npm package source and maintainers; prefer installing from a trusted Homebrew tap or review the npm package contents before a global install. 2) Avoid exposing your primary browser profile; if possible create and use a dedicated browser profile that is logged into the account you want to use. 3) Prefer passing only the minimal auth token you need (and rotate tokens/passwords if you stop using the tool). 4) Be aware that supplying --chrome-profile-dir or pointing the tool at browser cookie DBs gives the CLI (and thus any code it runs) access to sensitive cookies — treat that as full account access. 5) Don’t run the installer or binary with elevated privileges. If you want higher assurance, request the skill author’s source repo and hashes for the distributed artifacts and review them before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97eafg98ydfdcaj67b2rh4c7d83qdrx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐦 Clawdis
Binsbird
Install
Install bird (brew)
Bins: bird
brew install steipete/tap/birdInstall bird (npm)
Bins: bird
npm i -g @steipete/bird