← 返回 Skills 市场
xbird
作者
checkra1neth
· GitHub ↗
· v0.1.1
808
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install xbird
功能描述
Use when the user asks to tweet, post threads, read tweets, search Twitter/X, check mentions, manage engagement (like/retweet/bookmark), update profile (bio, avatar, banner), upload media, or interact with Twitter accounts. Triggers: twitter, tweet, post, thread, timeline, mentions, followers, following, likes, retweet, bookmark, profile picture, bio.
安全使用建议
Do not paste your Twitter session cookies or your wallet private key into a third-party skill unless you fully trust and can verify the code and publisher. The SKILL.md asks you to run an unpinned npm package via npx and to store sensitive tokens in your settings; that package will execute arbitrary code locally. Before installing: (1) verify the package source and repository (read its code, release tags, and who publishes it), (2) prefer official OAuth/API keys rather than raw session cookies, (3) never give out your wallet private key — use an intermediate payment/account that you control with limited funds or a signing-only flow, and (4) if you must test, run any fetched code in an isolated environment (VM/container) and avoid adding it to your main agent config. Given the metadata/instruction mismatches and sensitive requests, proceed only after independent code review or prefer an official, documented integration.
功能分析
Type: OpenClaw Skill
Name: xbird
Version: 0.1.1
The skill is classified as suspicious due to two main reasons. Firstly, it instructs the user to provide highly sensitive credentials, including Twitter session tokens (`XBIRD_AUTH_TOKEN`, `XBIRD_CT0`) and a crypto wallet private key (`XBIRD_PRIVATE_KEY`), to an external `npx` package (`@checkra1n/xbird`). This introduces a significant supply chain risk and exposes the user to potential credential theft if the external package is compromised. Secondly, the `update_profile_image`, `update_profile_banner`, and `upload_media` tools in `SKILL.md` accept absolute file paths, creating a local file access vulnerability where an agent could be prompted to read arbitrary local files from the filesystem.
能力评估
Purpose & Capability
The skill claims to provide Twitter/X actions (read/post/engage), which is plausible, but the SKILL.md requires raw x.com cookie values (auth_token, ct0) and an optional wallet private key. The registry metadata lists no required env vars or credentials, which conflicts with the SKILL.md. Asking for browser cookies and a private key is not explained by the high-level description and is disproportionate.
Instruction Scope
Runtime instructions tell the user to run 'claude mcp add xbird -- npx @checkra1n/xbird' (fetch-and-run via npx) and to store cookies or keys in ~/.claude/settings.json or the shell. That directs execution of remote code and explicit manual extraction/pasting of session cookies and a private key — sensitive actions that go beyond typical API OAuth flows and could enable account takeover or fund access.
Install Mechanism
Although the registry lists no install spec, the SKILL.md instructs using npx to fetch and run @checkra1n/xbird. npx will download and execute unpinned code from the npm registry (moderate-to-high risk). The package name ("@checkra1n") and lack of a pinned, audited source or repository URL increase risk. This is an install-time action that can run arbitrary code locally.
Credentials
The skill asks for XBIRD_AUTH_TOKEN and XBIRD_CT0 (x.com cookies) and optionally XBIRD_PRIVATE_KEY (wallet). For Twitter integration, official OAuth tokens are expected; requiring session cookies and a wallet private key is sensitive and not proportionate to the described functionality. The metadata declared no required env vars, which is inconsistent with the instructions.
Persistence & Privilege
The instructions add an MCP server to the agent ('claude mcp add ...'), which modifies the agent's configuration and will cause the agent to rely on an external component provided by the npx package. While 'always' is false, this still creates persistent capability and a locally-running component that may act autonomously and make micropayments — combined with the private key request, this is notable.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xbird - 安装完成后,直接呼叫该 Skill 的名称或使用
/xbird触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
Initial publish: 34 Twitter/X MCP tools with x402 micropayments on Base
元数据
常见问题
xbird 是什么?
Use when the user asks to tweet, post threads, read tweets, search Twitter/X, check mentions, manage engagement (like/retweet/bookmark), update profile (bio, avatar, banner), upload media, or interact with Twitter accounts. Triggers: twitter, tweet, post, thread, timeline, mentions, followers, following, likes, retweet, bookmark, profile picture, bio. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 808 次。
如何安装 xbird?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xbird」即可一键安装,无需额外配置。
xbird 是免费的吗?
是的,xbird 完全免费(开源免费),可自由下载、安装和使用。
xbird 支持哪些平台?
xbird 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 xbird?
由 checkra1neth(@checkra1neth)开发并维护,当前版本 v0.1.1。
推荐 Skills