ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xbird

Use when the user asks to tweet, post threads, read tweets, search Twitter/X, check mentions, manage engagement (like/retweet/bookmark), update profile (bio, avatar, banner), upload media, or interact with Twitter accounts. Triggers: twitter, tweet, post, thread, timeline, mentions, followers, following, likes, retweet, bookmark, profile picture, bio.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 580 · 2 current installs · 2 all-time installs
by@checkra1neth
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to provide Twitter/X actions (read/post/engage), which is plausible, but the SKILL.md requires raw x.com cookie values (auth_token, ct0) and an optional wallet private key. The registry metadata lists no required env vars or credentials, which conflicts with the SKILL.md. Asking for browser cookies and a private key is not explained by the high-level description and is disproportionate.
!
Instruction Scope
Runtime instructions tell the user to run 'claude mcp add xbird -- npx @checkra1n/xbird' (fetch-and-run via npx) and to store cookies or keys in ~/.claude/settings.json or the shell. That directs execution of remote code and explicit manual extraction/pasting of session cookies and a private key — sensitive actions that go beyond typical API OAuth flows and could enable account takeover or fund access.
!
Install Mechanism
Although the registry lists no install spec, the SKILL.md instructs using npx to fetch and run @checkra1n/xbird. npx will download and execute unpinned code from the npm registry (moderate-to-high risk). The package name ("@checkra1n") and lack of a pinned, audited source or repository URL increase risk. This is an install-time action that can run arbitrary code locally.
!
Credentials
The skill asks for XBIRD_AUTH_TOKEN and XBIRD_CT0 (x.com cookies) and optionally XBIRD_PRIVATE_KEY (wallet). For Twitter integration, official OAuth tokens are expected; requiring session cookies and a wallet private key is sensitive and not proportionate to the described functionality. The metadata declared no required env vars, which is inconsistent with the instructions.
!
Persistence & Privilege
The instructions add an MCP server to the agent ('claude mcp add ...'), which modifies the agent's configuration and will cause the agent to rely on an external component provided by the npx package. While 'always' is false, this still creates persistent capability and a locally-running component that may act autonomously and make micropayments — combined with the private key request, this is notable.
What to consider before installing
Do not paste your Twitter session cookies or your wallet private key into a third-party skill unless you fully trust and can verify the code and publisher. The SKILL.md asks you to run an unpinned npm package via npx and to store sensitive tokens in your settings; that package will execute arbitrary code locally. Before installing: (1) verify the package source and repository (read its code, release tags, and who publishes it), (2) prefer official OAuth/API keys rather than raw session cookies, (3) never give out your wallet private key — use an intermediate payment/account that you control with limited funds or a signing-only flow, and (4) if you must test, run any fetched code in an isolated environment (VM/container) and avoid adding it to your main agent config. Given the metadata/instruction mismatches and sensitive requests, proceed only after independent code review or prefer an official, documented integration.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.1
Download zip
latestvk9713sd828y29vth2nfjpwntxd812kzs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

xbird — Twitter/X for AI Agents

34 MCP tools for Twitter/X with x402 micropayments. Runs locally from residential IP.

Setup

Add xbird MCP server to Claude Code:

claude mcp add xbird -- npx @checkra1n/xbird

Required environment variables (set in ~/.claude/settings.json or shell):

  • XBIRD_AUTH_TOKEN — from x.com cookies (DevTools → Application → Cookies → auth_token)
  • XBIRD_CT0 — from x.com cookies (DevTools → Application → Cookies → ct0)
  • XBIRD_PRIVATE_KEY — wallet private key for x402 payments (optional, needed for paid tier)

Tools Reference

Read — $0.001/call

ToolDescription
get_tweetGet tweet by ID
get_threadGet full thread/conversation chain
get_repliesGet replies to a tweet (supports count, cursor)
get_userGet user profile by handle
get_user_aboutGet detailed user info (bio, stats, links)
get_current_userGet authenticated user's profile
get_home_timelineGet home feed (supports count, cursor)
get_newsGet trending topics (tabs: trending, forYou, news, sports, entertainment)
get_listsGet owned Twitter lists
get_list_timelineGet tweets from a list by list ID

Search — $0.005/call

ToolDescription
search_tweetsSearch tweets. Supports operators: from:user, to:user, since:2024-01-01, filter:media, -filter:retweets
get_mentionsGet mentions for a handle

Bulk — $0.01/call

ToolDescription
get_user_tweetsGet user's tweets. Requires numeric userId — get it from get_user first
get_followersGet user's followers. Requires numeric userId
get_followingGet who user follows. Requires numeric userId
get_likesGet user's liked tweets. Requires numeric userId
get_bookmarksGet bookmarked tweets
get_list_membershipsGet lists user is a member of

Write — $0.01/call

ToolDescription
post_tweetPost a tweet. Pass mediaIds array to attach media
reply_to_tweetReply to a tweet by replyToId
post_threadPost a thread — array of strings, minimum 2 tweets
like_tweet / unlike_tweetLike or unlike by tweet ID
retweet / unretweetRetweet or undo by tweet ID
bookmark_tweet / unbookmark_tweetBookmark or remove by tweet ID
follow_user / unfollow_userFollow or unfollow by handle

Profile — $0.01/call

ToolDescription
update_profileUpdate bio/description text
update_profile_imageUpdate avatar — absolute file path to image
update_profile_bannerUpdate banner — absolute file path to image
remove_profile_bannerRemove banner image

Media — $0.05/call

ToolDescription
upload_mediaUpload image/video, returns mediaId. Pass it to post_tweet or reply_to_tweet via mediaIds

Common Workflows

Post a tweet with an image

  1. upload_media with file path → get mediaId
  2. post_tweet with text and mediaIds: ["<mediaId>"]

Get someone's recent tweets

  1. get_user with handle → get numeric userId
  2. get_user_tweets with userId

Update profile with new avatar and bio

  1. update_profile_image with file path
  2. update_profile with new description text

Search and engage

  1. search_tweets with query (e.g. "AI agents" since:2024-01-01 -filter:retweets)
  2. like_tweet or retweet interesting results

Important Notes

  • Handles: work with or without @ prefix
  • userId vs handle: Bulk tools require numeric userId. Always call get_user first to resolve handle → userId
  • Pagination: most list tools accept cursor from previous response for next page
  • Media flow: always upload first, then attach mediaId to tweet
  • Rate limits: if a tool returns an error about rate limiting, wait 1-2 minutes before retrying
  • x402 payments: all calls are metered via micropayments on Base (USDC). Free tier available without wallet key

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…