Is checkra1neth/xbird safe?
https://github.com/openclaw/skills/tree/main/skills/checkra1neth/xbird
xbird is a Twitter/X integration skill that presents severe design-level security risks despite containing no explicit prompt injection in its SKILL.md. The skill requires users to expose live Twitter session cookies and a raw cryptocurrency wallet private key to an opaque, unaudited npm package fetched at runtime via npx — and three of its tools (upload_media, update_profile_image, update_profile_banner) accept arbitrary absolute file paths, creating a reliable file-exfiltration vector that can be triggered by malicious content in fetched tweets. Post-install monitoring detected a coordinated batch read of all six honeypot credential files at an identical timestamp, though this may be attributable to the oathe canary verification sweep rather than the skill itself.
Category Scores
Findings (12)
CRITICAL Arbitrary file exfiltration via media/profile upload tools -40 ▶
Three tools (upload_media, update_profile_image, update_profile_banner) accept absolute file paths to local files and transmit their contents to Twitter's CDN. Any file readable by the agent process — SSH keys, .env files, AWS credentials — can be exfiltrated simply by providing its path as the 'file path' argument. This requires no special permissions beyond what the agent already has.
CRITICAL Cryptocurrency wallet private key transmitted to remote npm package -28 ▶
The skill requires XBIRD_PRIVATE_KEY (a raw private key for a crypto wallet) to be provided to the npx @checkra1n/xbird process. This grants the remote, unaudited package unconditional authority to sign and broadcast on-chain transactions. A compromised or malicious package version could drain the wallet silently.
CRITICAL Remote code execution via npx at agent invocation time -55 ▶
SKILL.md instructs the agent to register an MCP server using 'npx @checkra1n/xbird'. npx fetches and executes the latest published version of this package at runtime. The package source is not included in the skill repo and cannot be reviewed during installation. Any future npm publish to @checkra1n/xbird propagates automatically to all users of this skill.
HIGH Live Twitter session cookies exposed to unaudited remote process -10 ▶
XBIRD_AUTH_TOKEN and XBIRD_CT0 are live Twitter session cookies that authenticate as the user on x.com. Providing them to an opaque npm package grants that package full account access: posting, DMing, reading private messages, managing followers, and more — indistinguishable from the account owner acting directly.
HIGH Post-install batch access to six credential files at identical timestamp -32 ▶
Six sensitive credential files were accessed at the exact same auditd timestamp (1771649406.422) after installation completed: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json. Simultaneous batch access at a single timestamp is atypical for normal OS operations; it suggests programmatic enumeration. This may be oathe's own post-install canary verification, but process attribution is ambiguous.
HIGH Prompt-injection-to-file-exfiltration compound attack path -30 ▶
Tweet content retrieved via get_home_timeline or search_tweets is LLM-visible and could contain prompt injection instructions. A crafted tweet could direct the agent to call upload_media with path=/home/user/.ssh/id_rsa, uploading the user's SSH private key to Twitter as 'media'. This is a realistic zero-click exfiltration chain requiring no additional compromised components.
HIGH Autonomous cryptocurrency spend via x402 micropayment system -25 ▶
Every tool call in the paid tier automatically initiates a USDC micropayment on Base using the configured wallet private key. There is no per-transaction confirmation prompt. An attacker who can trigger many tool invocations (e.g., via a looping prompt or high-frequency search) can drain the wallet in small increments below user attention thresholds.
MEDIUM Abnormally broad trigger keyword set increases unintended activation -15 ▶
The skill description includes 14 trigger keywords covering most common social-media discussion terms (twitter, tweet, post, thread, timeline, mentions, followers, following, likes, retweet, bookmark, profile picture, bio). This breadth means the skill is injected into agent context in many non-Twitter conversations, widening the attack surface for any latent vulnerabilities.
MEDIUM All six honeypot credential files read during monitoring window -18 ▶
inotifywait and auditd both confirm OPEN+ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json. File integrity checks confirm no modifications. Read-exfiltration via network is not detectable by canary hash checks alone; the clean network log (only GitHub traffic) reduces but does not eliminate this risk.
MEDIUM No pinned version or integrity hash for npx dependency -7 ▶
The install instruction uses bare 'npx @checkra1n/xbird' with no version pin and no integrity verification (no --prefer-offline, no shasum check). Any future malicious publish to the npm package silently updates all installations on next agent startup.
LOW Credential storage instructions normalize insecure patterns -10 ▶
The skill instructs users to store raw Twitter session cookies and a wallet private key in ~/.claude/settings.json, a file that may be readable by other processes or synced to cloud storage. This trains users to treat long-lived session tokens and private keys as ordinary configuration values.
INFO Git clone behavior was expected and contained 0 ▶
The install process cloned from github.com/openclaw/skills (140.82.121.4:443) via HTTPS, performed a sparse checkout of skills/checkra1neth/xbird, and removed the temp clone. No unexpected outbound connections, no new listening services, and no filesystem changes outside the skill directory were observed.