← Back to Skills Marketplace
1714
Downloads
0
Stars
5
Active Installs
2
Versions
Install in OpenClaw
/install x-bookmarks
Description
Fetch, summarize, and manage X/Twitter bookmarks via bird CLI or X API v2. Use when: (1) user says "check my bookmarks", "what did I bookmark", "bookmark dig...
Usage Guidance
This package appears to do what it says, but take these precautions before installing:
- Source verification: the skill's source/homepage is unknown and the registry metadata contradicts SKILL.md. Only install if you trust the publisher or have reviewed the scripts.
- Prefer OAuth over manual cookie copying: use the provided x_api_auth.py flow (OAuth PKCE) rather than manually extracting/pasting auth_token and ct0 — copying cookies is sensitive and error-prone.
- Review local storage: tokens are written to ~/.config/x-bookmarks/tokens.json (the code sets 0o600). Make sure you’re comfortable storing tokens on this machine and check file ownership/permissions.
- Inspect scripts: the included scripts are small and call only bird or X API endpoints; if unsure, read them yourself or run in an isolated environment (VM/container) first.
- Validate bird-cli source: if you use the bird path, ensure you install bird-cli from its official repo/npm package and understand that it accesses browser cookie stores.
- Cron/automation: scheduled digests imply storing last-processed IDs in workspace/state — confirm where that state will be stored and secure it if it contains tokens or identifiers.
If you want higher assurance, ask the publisher for a verified homepage or run the tools locally (inspect source and run only the Python scripts you reviewed).
Capability Analysis
Type: OpenClaw Skill
Name: x-bookmarks
Version: 1.1.0
The skill is classified as suspicious primarily due to a shell injection vulnerability in `scripts/fetch_bookmarks.sh`. The script directly passes unsanitized arguments (`$@`) to the `bird` command via `exec "${CMD[@]}"`, which could allow an attacker to execute arbitrary commands if user input is not properly sanitized by the OpenClaw agent. Additionally, the `SKILL.md` instructs the AI agent to 'propose actions the agent can execute' based on bookmark content, creating a potential prompt injection vector if the agent's sandboxing or input validation is insufficient. While the skill's stated purpose is legitimate and network calls are confined to X/Twitter APIs, these vulnerabilities pose a significant risk.
Capability Assessment
Purpose & Capability
The skill's name/description (X Bookmarks) aligns with the included scripts and workflows: a bird CLI wrapper, an X API v2 fetcher, and an OAuth helper. However, the registry metadata at the top of the package claims no required env vars, binaries, or config paths while SKILL.md and the scripts explicitly document AUTH_TOKEN/CT0, optional X_API_BEARER_TOKEN, the bird binary, and ~/.config/x-bookmarks/tokens.json — an internal inconsistency the user should be aware of.
Instruction Scope
SKILL.md and the scripts confine actions to fetching bookmarks (via bird or X API), categorizing them, and storing local state/tokens. The OAuth helper runs a local HTTP callback and opens the browser (normal for PKCE). There are no instructions to read unrelated system files or transmit credentials to unexpected third parties; network calls go to X endpoints (api.x.com / x.com) as expected.
Install Mechanism
There is no automated install spec in the package (instruction-only with scripts included), so nothing is automatically downloaded or executed during install. The only external install suggested is installing bird-cli from npm, which is a normal third-party dependency. No unusual download URLs or archive extraction are present.
Credentials
The package reasonably needs authentication credentials to read private bookmarks: either browser cookie values (AUTH_TOKEN and CT0) for bird CLI or OAuth tokens / bearer token for the X API. These credentials are sensitive but proportionate to the stated functionality. Again note the registry metadata incorrectly lists no required env vars while SKILL.md requires them. Tokens are saved locally to ~/.config/x-bookmarks/tokens.json (file is created with mode 0o600 in the code).
Persistence & Privilege
The skill stores its own config and tokens under ~/.config/x-bookmarks and runs a short-lived local HTTP server during OAuth authorization; it does not request persistent platform-wide privileges nor set always:true. Storing tokens locally (with restrictive file perms) is normal for this workflow.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install x-bookmarks - After installation, invoke the skill by name or use
/x-bookmarks - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Declared credential requirements (AUTH_TOKEN, CT0, X_API_BEARER_TOKEN) and security permissions to resolve suspicious flag. Added requires and security sections to SKILL.md.
v1.0.0
Initial release: action-first bookmark digests, scheduled cron digests, content recycling, pattern detection, bookmark cleanup
Metadata
Frequently Asked Questions
What is X Bookmarks?
Fetch, summarize, and manage X/Twitter bookmarks via bird CLI or X API v2. Use when: (1) user says "check my bookmarks", "what did I bookmark", "bookmark dig... It is an AI Agent Skill for Claude Code / OpenClaw, with 1714 downloads so far.
How do I install X Bookmarks?
Run "/install x-bookmarks" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is X Bookmarks free?
Yes, X Bookmarks is completely free (open-source). You can download, install and use it at no cost.
Which platforms does X Bookmarks support?
X Bookmarks is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created X Bookmarks?
It is built and maintained by sharbel (@sharbelayy); the current version is v1.1.0.
More Skills