v1.0.0

Bird.Backup

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:31 AM.

Analysis

Review before installing: this X/Twitter CLI is coherent, but it uses browser/session cookies and can post, reply, follow, and unfollow from your account.

GuidanceInstall only if you trust the bird CLI package and are comfortable giving it access to your X/Twitter session. Use a dedicated browser profile or limited account where possible, and require explicit confirmation before any post, reply, follow, unfollow, media upload, or other account-changing command.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

bird follow @handle ... bird unfollow @handle ... bird tweet "hello world" ... bird reply <url-or-id> "nice thread!"

These are authenticated account-changing and public-posting actions. The instructions do not provide clear approval gates or safeguards before the agent uses them.

User impactThe agent could make visible changes to your X/Twitter account, including public posts, replies, follows, unfollows, and bookmark changes.

RecommendationRequire explicit user approval before any posting, replying, following, unfollowing, unbookmarking, or media upload action.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

install spec

brew formula: steipete/tap/bird; node package: @steipete/bird; creates binaries: bird

The skill depends on an externally installed CLI binary/package. This is purpose-aligned, but the supplied review artifacts do not include the binary or package source code.

User impactYou must trust the external package and Homebrew tap because that installed binary will handle your account cookies and X/Twitter actions.

RecommendationInstall only from a source you trust, verify the package/homepage, and keep it updated.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

`bird` uses cookie-based auth. Use `--auth-token` / `--ct0` to pass cookies directly, or `--cookie-source` for browser cookies.

Session cookies and browser cookie stores are effectively account credentials. The registry metadata declares no primary credential, so this high-impact account access is not clearly bounded by the artifact contract.

User impactIf used carelessly or by an untrusted binary, the skill could act as the logged-in X/Twitter account associated with those cookies.

RecommendationOnly use this with an account/profile you intend to expose to the CLI, and prefer explicit tokens or a dedicated browser profile over broad access to your main browser cookies.