首页龙虾技能列表 › xbird — 技能工具

xbird — 技能工具

v0.1.1

[自动翻译] Use when the user asks to tweet, post threads, read tweets, search Twitter/X, check mentions, manage engagement (like/retweet/bookmark), update profil...

0· 721·2 当前·2 累计
by @checkra1neth·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/11
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
high confidence
The skill's instructions ask you to run an unpinned npm package and supply sensitive browser cookie values and an optional wallet private key, but the registry metadata doesn't declare those requirements — these inconsistencies and sensitive requests are suspicious.
评估建议
Do not paste your Twitter session cookies or your wallet private key into a third-party skill unless you fully trust and can verify the code and publisher. The SKILL.md asks you to run an unpinned npm package via npx and to store sensitive tokens in your settings; that package will execute arbitrary code locally. Before installing: (1) verify the package source and repository (read its code, release tags, and who publishes it), (2) prefer official OAuth/API keys rather than raw session cookies, ...
详细分析 ▾
用途与能力
The skill claims to provide Twitter/X actions (read/post/engage), which is plausible, but the SKILL.md requires raw x.com cookie values (auth_token, ct0) and an optional wallet private key. The registry metadata lists no required env vars or credentials, which conflicts with the SKILL.md. Asking for browser cookies and a private key is not explained by the high-level description and is disproportionate.
指令范围
Runtime instructions tell the user to run 'claude mcp add xbird -- npx @checkra1n/xbird' (fetch-and-run via npx) and to store cookies or keys in ~/.claude/settings.json or the shell. That directs execution of remote code and explicit manual extraction/pasting of session cookies and a private key — sensitive actions that go beyond typical API OAuth flows and could enable account takeover or fund access.
安装机制
Although the registry lists no install spec, the SKILL.md instructs using npx to fetch and run @checkra1n/xbird. npx will download and execute unpinned code from the npm registry (moderate-to-high risk). The package name ("@checkra1n") and lack of a pinned, audited source or repository URL increase risk. This is an install-time action that can run arbitrary code locally.
凭证需求
The skill asks for XBIRD_AUTH_TOKEN and XBIRD_CT0 (x.com cookies) and optionally XBIRD_PRIVATE_KEY (wallet). For Twitter integration, official OAuth tokens are expected; requiring session cookies and a wallet private key is sensitive and not proportionate to the described functionality. The metadata declared no required env vars, which is inconsistent with the instructions.
持久化与权限
The instructions add an MCP server to the agent ('claude mcp add ...'), which modifies the agent's configuration and will cause the agent to rely on an external component provided by the npx package. While 'always' is false, this still creates persistent capability and a locally-running component that may act autonomously and make micropayments — combined with the private key request, this is notable.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv0.1.12026/2/13

Initial publish: 34 Twitter/X MCP tools with x402 micropayments on Base

● 可疑

安装命令 点击复制

官方npx clawhub@latest install xbird
镜像加速npx clawhub@latest install xbird --registry https://cn.clawhub-mirror.com

技能文档

34 MCP tools for Twitter/X with x402 micropayments. Runs locally from residential IP.

Setup

Add xbird MCP server to Claude Code:

claude mcp add xbird -- npx @checkra1n/xbird

Required environment variables (set in ~/.claude/settings.json or shell):

  • XBIRD_AUTH_TOKEN — from x.com cookies (DevTools → Application → Cookies → auth_token)
  • XBIRD_CT0 — from x.com cookies (DevTools → Application → Cookies → ct0)
  • XBIRD_PRIVATE_KEY — wallet private key for x402 payments (optional, needed for paid tier)

Tools Reference

Read — $0.001/call

ToolDescription
get_tweetGet tweet by ID
get_threadGet full thread/conversation chain
get_repliesGet replies to a tweet (supports count, cursor)
get_userGet user profile by handle
get_user_aboutGet detailed user info (bio, stats, links)
get_current_userGet authenticated user's profile
get_home_timelineGet home feed (supports count, cursor)
get_newsGet trending topics (tabs: trending, forYou, news, sports, entertainment)
get_listsGet owned Twitter lists
get_list_timelineGet tweets from a list by list ID

Search — $0.005/call

ToolDescription
search_tweetsSearch tweets. Supports operators: from:user, to:user, since:2024-01-01, filter:media, -filter:retweets
get_mentionsGet mentions for a handle

Bulk — $0.01/call

ToolDescription
get_user_tweetsGet user's tweets. Requires numeric userId — get it from get_user first
get_followersGet user's followers. Requires numeric userId
get_followingGet who user follows. Requires numeric userId
get_likesGet user's liked tweets. Requires numeric userId
get_bookmarksGet bookmarked tweets
get_list_membershipsGet lists user is a member of

Write — $0.01/call

ToolDescription
post_tweetPost a tweet. Pass mediaIds array to attach media
reply_to_tweetReply to a tweet by replyToId
post_threadPost a thread — array of strings, minimum 2 tweets
like_tweet / unlike_tweetLike or unlike by tweet ID
retweet / unretweetRetweet or undo by tweet ID
bookmark_tweet / unbookmark_tweetBookmark or remove by tweet ID
follow_user / unfollow_userFollow or unfollow by handle

Profile — $0.01/call

ToolDescription
update_profileUpdate bio/description text
update_profile_imageUpdate avatar — absolute file path to image
update_profile_bannerUpdate banner — absolute file path to image
remove_profile_bannerRemove banner image

Media — $0.05/call

ToolDescription
upload_mediaUpload image/video, returns mediaId. Pass it to post_tweet or reply_to_tweet via mediaIds

Common Workflows

Post a tweet with an image

  • upload_media with file path → get mediaId
  • post_tweet with text and mediaIds: [""]

Get someone's recent tweets

  • get_user with handle → get numeric userId
  • get_user_tweets with userId

Update profile with new avatar and bio

  • update_profile_image with file path
  • update_profile with new description text

Search and engage

  • search_tweets with query (e.g. "AI agents" since:2024-01-01 -filter:retweets)
  • like_tweet or retweet interesting results

Important Notes

  • Handles: work with or without @ prefix
  • userId vs handle: Bulk tools require numeric userId. Always call get_user first to resolve handle → userId
  • Pagination: most list tools accept cursor from previous response for next page
  • Media flow: always upload first, then attach mediaId to tweet
  • Rate limits: if a tool returns an error about rate limiting, wait 1-2 minutes before retrying
  • x402 payments: all calls are metered via micropayments on Base (USDC). Free tier available without wallet key
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务