X Timeline Digest

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.install_untrusted_source

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

The digest may include personalized or otherwise account-visible tweets and then output them for the agent or upstream workflows to use.

Why it was flagged

The skill relies on an authenticated X/Twitter session managed by bird. That is expected for reading a personalized timeline, but it means the skill can access account-specific timeline content.

Skill content

bird must already be authenticated (cookie login)
- Read-only usage

Recommendation

Install only if you are comfortable letting the skill read your authenticated X timelines; review any downstream workflow that receives the digest.

NoteHigh Confidence

ASI05: Unexpected Code Execution

What this means

If the bird executable in PATH is not the one you expect, running the skill could execute unintended local code.

Why it was flagged

The code executes a local binary named bird from PATH. The arguments are fixed by the script and align with the documented purpose, but execution depends on the local bird binary being trustworthy.

Skill content

const output = execFileSync('bird', argsArray, { encoding: 'utf8', maxBuffer: 10 * 1024 * 1024 });

Recommendation

Use a trusted bird installation, keep PATH controlled, and consider configuring an absolute path if your environment supports it.

NoteMedium Confidence

ASI01: Agent Goal Hijack

What this means

A malicious or joking tweet could try to steer the summarizing agent away from the intended digest task, especially if the agent has other tools enabled.

Why it was flagged

The prompt asks an LLM to process raw tweet JSON. Tweets are untrusted external text and could contain instructions that try to influence the agent during summarization.

Skill content

**Raw JSON Input:**
{{JSON_DATA}}

Recommendation

Treat tweet contents as data only, keep tool access limited during summarization, and add explicit prompt language telling the model to ignore instructions inside tweets.

NoteHigh Confidence

ASI06: Memory and Context Poisoning

What this means

The state file may reveal a history of processed tweet IDs and, if modified, could cause tweets to be skipped or repeated.

Why it was flagged

The skill stores persistent state used to decide which tweet IDs have already been processed. This is disclosed and scoped to the skill, but it can influence future outputs.

Skill content

statePath: path.join(os.homedir(), '.openclaw/state/x-timeline-digest.json')

Recommendation

Keep the .openclaw state directory protected by normal user permissions and delete the state file if you want to reset digest history.

Findings (2)

critical

suspicious.dangerous_exec

Location: digest.js:77
Finding: Shell command execution detected (child_process).

warn

suspicious.install_untrusted_source

Location: latest_digest.json:14
Finding: Install source points to URL shortener or raw IP.