ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bookmark Intelligence

v1.0.0

Automatically monitors your X bookmarks, fetches linked articles, analyzes content with AI, and delivers insights relevant to your projects via notifications.

0· 2k·1 current·1 all-time
byCryptoRebbe@bkrigmo1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (monitor.js, analyzer.js) implements the advertised functionality: it fetches bookmarks via the bird CLI using X cookies, fetches linked articles (curl), and runs analysis (local LLM CLI or fallback heuristics). However the registry metadata claims no required binaries or env vars, which is incorrect—the skill expects the bird CLI and the AUTH_TOKEN/CT0 cookies. The package also includes seller/admin/payment scripts and on-chain wallet addresses which are not necessary for a purely consumer bookmark-analysis skill; that increases the surface without a clear reason in the metadata.
!
Instruction Scope
SKILL.md instructs users how to extract sensitive X cookies (auth_token, ct0) from their browser and store them in a .env file — this is necessary for the chosen approach (using bird CLI and cookie-based access) but is a high-risk operation because cookies effectively grant full account access. The runtime instructions and the code read those cookies, run shell commands (curl, bird, node scripts), and write analysis files into an external storage path (config.storageDir defaults to ../../life/resources/bookmarks). The instructions also push users to run setup/daemon and to install PM2, increasing persistence. The SKILL.md contains prompt-like LLM instruction text (asking the LLM to output JSON only) and was flagged by a pre-scan for unicode-control-chars (possible prompt-injection artifacts) — this may attempt to influence LLM behavior and should be treated cautiously.
Install Mechanism
There is no remote installer (no download-from-URL); the package provides scripts and expects local npm usage (npm run setup, npm start). That is lower risk than an arbitrary remote installer. The repository includes many scripts, but nothing in the provided files indicates an installer that pulls arbitrary code from untrusted servers. Still, installing and running this package executes shell commands (curl, bird) and uses execSync in Node.js, so runtime execution privileges are required.
!
Credentials
The runtime requires two highly sensitive values (AUTH_TOKEN and CT0 cookies) to access a user's X bookmarks; these are requested by the SKILL.md and consumed by monitor.js, but the registry's required env/config fields do not list them — metadata omission is a red flag. The package also contains payment/admin scripts and payment-config.json with live wallet addresses for revenue; these are not required for the core bookmark-analysis consumer workflow and expand the credential/sensitive-data footprint (though no direct secret keys for payments are present in the files shown).
Persistence & Privilege
The skill is not force-installed (always: false). It can run as a background daemon (pm2) and will persist data to disk (creates .env, config.json, bookmarks.json and writes analysis to a storageDir that by default is outside the skill directory: ../../life/resources/bookmarks). Autonomous invocation (disable-model-invocation: false) means, if you provide credentials, it can poll and act without interactive confirmation — this is expected for a monitor/daemon but increases the risk associated with providing X cookies.
Scan Findings in Context
[unicode-control-chars] unexpected: Pre-scan flagged unicode-control-chars in SKILL.md content. The SKILL.md contains LLM instruction text and may include hidden/obfuscated characters that attempt to influence LLM parsing or the evaluation process. This is not required for the stated functionality and is suspicious — review the SKILL.md for embedded control characters before trusting automated LLM-invocation.
What to consider before installing
This package does implement bookmark monitoring and analysis, but there are several things to consider before installing: - The package requires your X cookies (auth_token and ct0) to function. Those cookies grant the same access as your account — do not provide them to software you do not fully trust. Prefer OAuth/API tokens or official APIs where possible. - The registry metadata did NOT declare the required binaries/env vars (bird CLI, AUTH_TOKEN, CT0). That mismatch is a red flag: ask the publisher why the metadata omits these requirements. - The skill will write files to disk (creates .env, config.json, bookmarks.json) and by default stores analyses in ../../life/resources/bookmarks (outside the skill folder). If you install, consider running it in an isolated environment (VM or container) or change storageDir to a safe path. - The code uses execSync to run shell commands (curl, bird, rm, openclaw CLI). That is expected for this design but increases attack surface; review scripts (especially setup, payment, and admin scripts) for any outbound network calls you don't expect. - The package bundles seller/admin/payment code and a public crypto wallet address. While that is not necessarily malicious, it is unrelated to core analysis and increases complexity—inspect scripts/payment.js and scripts/withdraw.cjs before running admin commands. - The SKILL.md was flagged for possible hidden control characters (prompt-injection style). Do not allow the skill to autonomously invoke LLMs against sensitive prompts or to transmit your cookies/outputs to remote endpoints unless you have audited the code. Actionable steps before installing: 1. Request the publisher to update registry metadata to list required binaries and env vars explicitly. 2. Inspect scripts/setup.js, scripts/payment.js, scripts/admin.js and any network-using code for unexpected endpoints or exfil behavior. 3. If you still want to try it, run it in a sandbox/VM, provide test/demo credentials (not your real account), and verify file writes and network activity. 4. If you must use it with real credentials, consider limiting its access (use a dedicated account), change storageDir to a safe path, and do not run daemon mode until you are confident in the code. If you want, I can list the specific files/lines to inspect (e.g., monitor.js, analyzer.js, scripts/setup.js) or help produce minimal safe configuration edits to limit what the package can access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fpxb3v5wpkg7npc490a0azx80dz8b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments