ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cleans and optimize Xbio cleaner

v1.0.0

X/Twitter CLI for reading, searching, and posting via cookies or Sweetistics.

0· 1.4k·0 current·0 all-time
by@soanai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for soanai/xbio.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "cleans and optimize Xbio cleaner" (soanai/xbio) from ClawHub.
Skill page: https://clawhub.ai/soanai/xbio
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bird
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install soanai/xbio

ClawHub CLI

Package manager switcher

npx clawhub@latest install xbio
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description and SKILL.md describe an X/Twitter CLI (bird). However the skill name ('cleans and optimize Xbio cleaner') does not match that purpose. The declared requirement (binary 'bird' and a brew formula for steipete/tap/bird) is coherent for a Twitter CLI, but the mismatched skill name and unknown homepage (bird.fast) are odd and worth verifying.
!
Instruction Scope
Runtime instructions tell the agent to use browser cookies (Firefox/Chrome) and optionally the Sweetistics API. Accessing browser cookies implies reading local browser stores or calling a helper binary that does so — yet no config paths or permissions are declared. The SKILL.md also references an env var (SWEETISTICS_API_KEY) that the skill metadata does not list. That mismatch means the skill may access credentials or local data without them being declared.
Install Mechanism
Install is via a Homebrew formula: steipete/tap/bird. Using brew is common, but this is a third‑party tap (not necessarily homebrew/core). Third‑party taps can run arbitrary install scripts; inspect the formula repository before installing.
!
Credentials
SKILL.md documents SWEETISTICS_API_KEY as an auth source and browser cookies as a default auth method, but requires.env is empty and no config paths are declared. That omission is an inconsistency: the skill may rely on or read secrets/config that aren't declared up front.
Persistence & Privilege
always:false (no forced global presence) and no install-time actions beyond the brew formula are declared. The skill does not claim to modify other skills or system-wide settings.
What to consider before installing
This skill looks like a wrapper for the 'bird' CLI but has several red flags. Before installing: (1) verify the brew formula source (steipete/tap) on GitHub and read the formula to see what it installs; (2) confirm what the 'bird' binary will do with your browser cookies and where it reads them from — only grant access if you trust it; (3) expect to provide SWEETISTICS_API_KEY if you use that engine, and don't supply secrets unless you trust the service; (4) be wary of the mismatched skill name and unknown homepage — they may indicate sloppy packaging or a misleading listing. If unsure, run the CLI in a sandboxed environment or prefer a skill with explicit declared env/config requirements and a well-known source.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🐦 Clawdis
Binsbird

Install

Install bird (brew)
Bins: bird
brew install steipete/tap/bird
latestvk9738jqqwbzv18mvxxd3tq5r0180p84j
1.4kdownloads
0stars
1versions
Updated 12h ago
v1.0.0
MIT-0
@soanai
latest
Download

bird

Use bird to read/search X and post tweets/replies.

Quick start

  • bird whoami
  • bird read <url-or-id>
  • bird thread <url-or-id>
  • bird search "query" -n 5

Posting (confirm with user first)

  • bird tweet "text"
  • bird reply <id-or-url> "text"

Auth sources

  • Browser cookies (default: Firefox/Chrome)
  • Sweetistics API: set SWEETISTICS_API_KEY or use --engine sweetistics
  • Check sources: bird check

Comments

Loading comments...