Bird.Backup
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a disclosed X/Twitter CLI, but it can use browser/session cookies to act on your account, including posting and following, without clear approval boundaries.
Only install this if you intentionally want an agent-accessible X/Twitter CLI. Treat browser-cookie access like giving control of your account, use a dedicated profile or account where possible, and require manual confirmation before any public post or account-changing action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used with your browser cookies, the agent/CLI may be able to access and act through your X/Twitter account.
Session cookies and browser profile cookies are high-impact credentials that can let the CLI act as the logged-in X/Twitter account. The artifact does not clearly bound which profile should be used, how cookies are isolated, or what account authority is granted.
`bird` uses cookie-based auth. Use `--auth-token` / `--ct0` to pass cookies directly, or `--cookie-source` for browser cookies. ... `--chrome-profile-dir <path>`
Use a dedicated browser profile or test account, avoid passing broad browser cookie stores unless necessary, and verify the package source before granting cookie access.
A mistaken or over-broad agent action could post publicly, reply, upload media, or change who your account follows.
These commands directly mutate a third-party account and can create public posts. The instructions present them as normal commands without an explicit confirmation or user-approval boundary for high-impact actions.
bird follow @handle ... bird unfollow @handle ... bird tweet "hello world" ... bird reply <url-or-id> "nice thread!"
Require explicit confirmation before any posting, replying, media upload, follow/unfollow, unbookmark, or other account-changing command.
You are trusting the external Homebrew/npm package to handle your X/Twitter session cookies safely.
The skill depends on an external CLI package/binary. This is purpose-aligned for a CLI integration, but the implementation is not included in the provided artifacts.
brew | formula: steipete/tap/bird | creates binaries: bird ... node | package: @steipete/bird | creates binaries: bird
Install only from a trusted source, review the package provenance, and keep the CLI updated.