Clawbird
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Clawbird is a coherent X/Twitter integration, but it can let an agent post, follow, like, and DM from your account using unpinned npm-installed code, so it needs careful review and controls.
Install only if you intend to let OpenClaw operate your X account. Before granting credentials, pin and review the npm package, use dedicated/least-privileged X credentials, and require manual approval for posts, replies, threads, likes, follows, and DMs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent mistake or prompt-influenced action could publish content, follow users, like posts, or send DMs from the user's X account; DMs are noted as not unsendable.
The skill can create public posts, likes, follows, replies, threads, and direct messages, while confirmation is presented as an external recommendation rather than a built-in requirement.
The following tools **modify remote state** on your X account: ... x_post_tweet ... x_post_thread ... x_reply_tweet ... x_like_tweet ... x_follow_user ... x_send_dm ... **Recommendation:** If running autonomously, consider requiring explicit user confirmation before write actions
Use agent-level tool policies that require explicit approval for every post, like, follow, reply, thread, or DM, and avoid enabling autonomous write access unless you accept the account risk.
A changed or compromised npm package could affect the code that receives X credentials and acts on the user's X account, even though the local static scan is clean.
The reviewed artifact does not contain the executable code, and the install path fetches runtime code from npm that will receive X credentials and perform account mutations.
Clawbird is an npm-distributed skill — the runtime code is installed via `npm i -g @xonder/clawbird` and is not bundled in the ClawHub skill archive... review the source or pin a specific version
Pin the exact package version, review the GitHub/npm source before granting credentials, and install only from a trusted registry source.
Anyone or any agent flow with access to this configured skill may be able to perform actions through the user's X developer credentials.
The required credentials are purpose-aligned for X account integration, but they allow the skill to act as the user for write operations.
This plugin authenticates to the X API using **OAuth 1.0a User Context** for write operations ... environment variables `X_API_KEY`, `X_API_SECRET`, `X_ACCESS_TOKEN`, `X_ACCESS_SECRET`
Use the least-privileged X app credentials available, keep tokens private, rotate them if exposed, and avoid sharing the configured environment broadly.
The working directory may contain a record of X account actions, and that record could affect duplicate-avoidance behavior in later tool use.
The skill creates local persistent task context about account actions, which is disclosed and scoped but may contain sensitive interaction history or influence later behavior.
Writes a session-scoped `clawbird-interactions.jsonl` file to the working directory, logging mutation actions (posts, likes, follows, DMs) so the agent can avoid duplicating work.
Run the skill in a private workspace, review or delete the interaction log when finished, and do not place it in shared or synced folders unless intended.