⁠X Reader⁠

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill appears to do what it claims, but it relies on local X login cookies and external tools, so users should treat installation and account access as sensitive.

Before installing, confirm you are comfortable giving the skill access to X auth_token and ct0 cookies. Use a secondary X account if possible, keep ~/.config/xreader/session.json protected, and verify that xreach and Playwright are installed from trusted sources.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If installed and configured, the skill can use your X login session to load X content, which may carry account risk.

Why it was flagged

The skill intentionally uses local X session cookies, which is purpose-aligned for authenticated X reading but grants access to an account session.

Skill content

Required: ... valid X auth cookies ... Primary auth path: ~/.config/xreader/session.json ... Expected JSON format: { "authToken": "...", "ct0": "..." }

Recommendation

Use a secondary or low-value X account, keep the session file private, and remove the cookie file if you no longer use the skill.

Low

#ASI03: Identity and Privilege Abuse

What this means

Existing X cookies from a related tool may be reused by this skill without prompting during execution.

Why it was flagged

The script can copy credentials from a legacy xfetch session into the xreader session path. It uses private file permissions and SKILL.md discloses the migration, but it is still credential reuse.

Skill content

const LEGACY_AUTH_PATH = path.join(HOME, '.config', 'xfetch', 'session.json'); ... saveJsonPrivate(NEW_AUTH_PATH, migrated);

Recommendation

Review ~/.config/xreader/session.json after first run and delete it if you do not want this skill to reuse legacy X authentication.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill’s behavior partly depends on local tools installed outside the reviewed instructions, especially xreach.

Why it was flagged

The skill depends on an external xreach CLI and an npm-installed Playwright dependency. This is disclosed and purpose-aligned, but users need to trust those dependencies.

Skill content

Required: - `xreach` - Node.js - valid X auth cookies ... Install article-mode dependency inside the skill directory: cd skills/x-reader; npm install

Recommendation

Install xreach and npm dependencies only from trusted sources, and prefer using the included package-lock when installing Playwright.