ClawHub

Bird Twitter

v1.0.0

Twitter/X CLI wrapper using bird — post tweets, reply, read, search, and manage your timeline. Fast GraphQL-based X CLI.

8· 2.7k·27 current·27 all-time
by@chuhuilove
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (bird), and required env vars (AUTH_TOKEN, CT0) all align: a CLI wrapper for Twitter/X legitimately needs a bird binary and Twitter auth cookies.
Instruction Scope
SKILL.md instructs the user to extract auth_token and ct0 from browser cookies — this is coherent with the declared env vars, but copying browser cookies is sensitive and could lead non-technical users to expose credentials if done carelessly. The included helper script only validates env vars and forwards arguments to bird; it does not access other files or external endpoints.
Install Mechanism
No install spec; this is an instruction-only skill that assumes a preinstalled 'bird' binary. The small included shell wrapper is harmless and merely checks environment variables then invokes bird.
Credentials
The skill requires only AUTH_TOKEN and CT0, which are exactly the credentials needed to authenticate to Twitter via the bird CLI. Those cookies grant full account capabilities (posting, following, etc.), so they should be treated as highly sensitive.
Persistence & Privilege
always is false and there is no install that persists code beyond the included script; the skill does not modify other skills or system config. Note: disable-model-invocation is false (platform default), so the agent could call the skill autonomously unless you change that setting.
Assessment
This skill appears coherent and small, but before installing: (1) only use a bird binary from a trusted source (verify upstream repo/releases), (2) treat AUTH_TOKEN and CT0 like full-account credentials — do not paste them into untrusted places or share them, and consider using a secondary account if you fear automation mistakes, (3) follow the SKILL.md cookie extraction instructions carefully to avoid copying unrelated cookies, (4) be aware the agent can call the skill autonomously by default (allowing it to post tweets), so consider disabling autonomous invocation or restricting the agent if you want manual control.

Like a lobster shell, security has layers — review code before you run it.

latestvk976t353djc07mp6zs7rtdhzx981yjt5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐦 Clawdis
Binsbird
EnvAUTH_TOKEN, CT0
Primary envAUTH_TOKEN

Comments