ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Posting — Automated Twitter/X Agent

v1.0.0

Automate posting, replying, searching, and timeline reading on X (Twitter) using the bird CLI with configured Chrome profile and content strategy.

0· 68·0 current·0 all-time
by@tenlifejosh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (automating X posting with bird CLI) match the runtime instructions: installing bird-cli and supplying a Chrome profile path is coherent and expected for a CLI that uses browser cookies to authenticate.
Instruction Scope
The SKILL.md instructs storing a chrome_profile_path in skills/x-posting/config.json and to run bird CLI commands that read Chrome cookies. It does not ask to read unrelated files or other credentials. Note that using the Chrome profile (and bird reading cookies) grants posting ability as the logged-in account — this is described but is a sensitive capability.
Install Mechanism
No embedded install script; it recommends installing bird-cli via npm or Homebrew, both standard package sources. No downloads from untrusted URLs or archive extraction are specified.
Credentials
No environment variables or external credentials are requested. The single sensitive requirement is access to a Chrome profile/cookies (user-supplied path) which is proportionate to authenticating the CLI but deserves user attention because it grants the ability to act as the account.
Persistence & Privilege
Skill is instruction-only, no always:true flag, and only stores a small config file under skills/x-posting/config.json. It does not request system-wide or cross-skill configuration changes.
Assessment
This skill is coherent with its purpose, but it relies on the bird-cli reading your Chrome profile/cookies to authenticate — that gives the tool the ability to post as your account. Before installing: (1) verify the bird-cli package/source (npm or Homebrew) is legitimate and reviewed; (2) consider creating and using a dedicated Chrome profile for automation so your main browsing cookies/credentials are isolated; (3) keep skills/x-posting/config.json and the chrome_profile_path private and with limited file permissions; (4) monitor account activity and be ready to revoke sessions or change your account login if you stop using the tool; (5) if you’re uncomfortable giving any tool access to your browser cookies, do not install/use this skill. If you want a stronger assurance, request the bird-cli project homepage or repository and inspect it before installing.

Like a lobster shell, security has layers — review code before you run it.

automationvk974k9npwwe6yz95b0aswdhhjx838bnhlatestvk974k9npwwe6yz95b0aswdhhjx838bnhpostingvk974k9npwwe6yz95b0aswdhhjx838bnhsocial-mediavk974k9npwwe6yz95b0aswdhhjx838bnhtwittervk974k9npwwe6yz95b0aswdhhjx838bnhxvk974k9npwwe6yz95b0aswdhhjx838bnh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments