cleans and optimize Xbio cleaner
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for X/Twitter automation, but it uses browser cookies/API-key access to an account and can post publicly, with limited scoping or reviewable code.
Review before installing. Only use this if you are comfortable letting the external bird CLI access your X/Twitter session cookies or Sweetistics API key. Use a dedicated browser profile/account when possible, confirm every tweet or reply manually, and revoke credentials if you uninstall or stop using the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and invoked, the CLI may be able to use your logged-in browser session or API key to access your X/Twitter account and perform account actions.
The skill relies on local browser session cookies or an API key to act against an X/Twitter account. This is high-impact delegated identity access, and the artifacts do not clearly bound which cookies are read, how credentials are handled, or what account scope is used.
Auth sources - Browser cookies (default: Firefox/Chrome) - Sweetistics API: set `SWEETISTICS_API_KEY` or use `--engine sweetistics`
Use only if you trust the bird binary and provider. Prefer a dedicated X/Twitter account or browser profile, review credential usage with `bird check`, and revoke cookies/API keys if you stop using it.
A confirmed tweet or reply could be posted publicly from your account.
The skill exposes commands that mutate a third-party account by posting tweets or replies. This is purpose-aligned and includes a user-confirmation instruction, but users should recognize the public impact.
Posting (confirm with user first) - `bird tweet "text"` - `bird reply <id-or-url> "text"`
Require explicit review before any `bird tweet` or `bird reply` command, especially when the text is generated by an agent.
You are trusting an external binary to handle browser cookies/API-key authentication and X/Twitter actions.
The skill depends on an external Homebrew tap and provides no local code files for review. Installing an external CLI is expected for this skill, but trust in the tap and binary matters because the CLI handles account access.
brew | formula: steipete/tap/bird | creates binaries: bird
Review the Homebrew formula and upstream project before installing, and keep the binary updated from a trusted source.