← Back to Skills Marketplace
xbird
by
checkra1neth
· GitHub ↗
· v0.1.1
808
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install xbird
Description
Use when the user asks to tweet, post threads, read tweets, search Twitter/X, check mentions, manage engagement (like/retweet/bookmark), update profile (bio, avatar, banner), upload media, or interact with Twitter accounts. Triggers: twitter, tweet, post, thread, timeline, mentions, followers, following, likes, retweet, bookmark, profile picture, bio.
Usage Guidance
Do not paste your Twitter session cookies or your wallet private key into a third-party skill unless you fully trust and can verify the code and publisher. The SKILL.md asks you to run an unpinned npm package via npx and to store sensitive tokens in your settings; that package will execute arbitrary code locally. Before installing: (1) verify the package source and repository (read its code, release tags, and who publishes it), (2) prefer official OAuth/API keys rather than raw session cookies, (3) never give out your wallet private key — use an intermediate payment/account that you control with limited funds or a signing-only flow, and (4) if you must test, run any fetched code in an isolated environment (VM/container) and avoid adding it to your main agent config. Given the metadata/instruction mismatches and sensitive requests, proceed only after independent code review or prefer an official, documented integration.
Capability Analysis
Type: OpenClaw Skill
Name: xbird
Version: 0.1.1
The skill is classified as suspicious due to two main reasons. Firstly, it instructs the user to provide highly sensitive credentials, including Twitter session tokens (`XBIRD_AUTH_TOKEN`, `XBIRD_CT0`) and a crypto wallet private key (`XBIRD_PRIVATE_KEY`), to an external `npx` package (`@checkra1n/xbird`). This introduces a significant supply chain risk and exposes the user to potential credential theft if the external package is compromised. Secondly, the `update_profile_image`, `update_profile_banner`, and `upload_media` tools in `SKILL.md` accept absolute file paths, creating a local file access vulnerability where an agent could be prompted to read arbitrary local files from the filesystem.
Capability Assessment
Purpose & Capability
The skill claims to provide Twitter/X actions (read/post/engage), which is plausible, but the SKILL.md requires raw x.com cookie values (auth_token, ct0) and an optional wallet private key. The registry metadata lists no required env vars or credentials, which conflicts with the SKILL.md. Asking for browser cookies and a private key is not explained by the high-level description and is disproportionate.
Instruction Scope
Runtime instructions tell the user to run 'claude mcp add xbird -- npx @checkra1n/xbird' (fetch-and-run via npx) and to store cookies or keys in ~/.claude/settings.json or the shell. That directs execution of remote code and explicit manual extraction/pasting of session cookies and a private key — sensitive actions that go beyond typical API OAuth flows and could enable account takeover or fund access.
Install Mechanism
Although the registry lists no install spec, the SKILL.md instructs using npx to fetch and run @checkra1n/xbird. npx will download and execute unpinned code from the npm registry (moderate-to-high risk). The package name ("@checkra1n") and lack of a pinned, audited source or repository URL increase risk. This is an install-time action that can run arbitrary code locally.
Credentials
The skill asks for XBIRD_AUTH_TOKEN and XBIRD_CT0 (x.com cookies) and optionally XBIRD_PRIVATE_KEY (wallet). For Twitter integration, official OAuth tokens are expected; requiring session cookies and a wallet private key is sensitive and not proportionate to the described functionality. The metadata declared no required env vars, which is inconsistent with the instructions.
Persistence & Privilege
The instructions add an MCP server to the agent ('claude mcp add ...'), which modifies the agent's configuration and will cause the agent to rely on an external component provided by the npx package. While 'always' is false, this still creates persistent capability and a locally-running component that may act autonomously and make micropayments — combined with the private key request, this is notable.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xbird - After installation, invoke the skill by name or use
/xbird - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
Initial publish: 34 Twitter/X MCP tools with x402 micropayments on Base
Metadata
Frequently Asked Questions
What is xbird?
Use when the user asks to tweet, post threads, read tweets, search Twitter/X, check mentions, manage engagement (like/retweet/bookmark), update profile (bio, avatar, banner), upload media, or interact with Twitter accounts. Triggers: twitter, tweet, post, thread, timeline, mentions, followers, following, likes, retweet, bookmark, profile picture, bio. It is an AI Agent Skill for Claude Code / OpenClaw, with 808 downloads so far.
How do I install xbird?
Run "/install xbird" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is xbird free?
Yes, xbird is completely free (open-source). You can download, install and use it at no cost.
Which platforms does xbird support?
xbird is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created xbird?
It is built and maintained by checkra1neth (@checkra1neth); the current version is v0.1.1.
More Skills