ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cleans and optimize Xbio cleaner

v1.0.0

X/Twitter CLI for reading, searching, and posting via cookies or Sweetistics.

0· 1.3k·0 current·0 all-time
by@soanai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description and SKILL.md describe an X/Twitter CLI (bird). However the skill name ('cleans and optimize Xbio cleaner') does not match that purpose. The declared requirement (binary 'bird' and a brew formula for steipete/tap/bird) is coherent for a Twitter CLI, but the mismatched skill name and unknown homepage (bird.fast) are odd and worth verifying.
!
Instruction Scope
Runtime instructions tell the agent to use browser cookies (Firefox/Chrome) and optionally the Sweetistics API. Accessing browser cookies implies reading local browser stores or calling a helper binary that does so — yet no config paths or permissions are declared. The SKILL.md also references an env var (SWEETISTICS_API_KEY) that the skill metadata does not list. That mismatch means the skill may access credentials or local data without them being declared.
Install Mechanism
Install is via a Homebrew formula: steipete/tap/bird. Using brew is common, but this is a third‑party tap (not necessarily homebrew/core). Third‑party taps can run arbitrary install scripts; inspect the formula repository before installing.
!
Credentials
SKILL.md documents SWEETISTICS_API_KEY as an auth source and browser cookies as a default auth method, but requires.env is empty and no config paths are declared. That omission is an inconsistency: the skill may rely on or read secrets/config that aren't declared up front.
Persistence & Privilege
always:false (no forced global presence) and no install-time actions beyond the brew formula are declared. The skill does not claim to modify other skills or system-wide settings.
What to consider before installing
This skill looks like a wrapper for the 'bird' CLI but has several red flags. Before installing: (1) verify the brew formula source (steipete/tap) on GitHub and read the formula to see what it installs; (2) confirm what the 'bird' binary will do with your browser cookies and where it reads them from — only grant access if you trust it; (3) expect to provide SWEETISTICS_API_KEY if you use that engine, and don't supply secrets unless you trust the service; (4) be wary of the mismatched skill name and unknown homepage — they may indicate sloppy packaging or a misleading listing. If unsure, run the CLI in a sandboxed environment or prefer a skill with explicit declared env/config requirements and a well-known source.

Like a lobster shell, security has layers — review code before you run it.

latestvk9738jqqwbzv18mvxxd3tq5r0180p84j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐦 Clawdis
Binsbird

Install

Install bird (brew)
Bins: bird
brew install steipete/tap/bird

Comments