Build a deduplicated digest from X (Twitter) For You and Following timelines using bird. Outputs a payload for upstream delivery.
Security Analysis
high confidenceThe skill's code, instructions, and requirements are consistent with its stated purpose: it uses the local bird CLI to fetch X timelines, deduplicate and rank tweets, and persist minimal state for incremental runs — it does not request external credentials or perform unexplained network uploads.
Name/description match required artifacts: the skill requires the 'bird' CLI (used in digest.js) and processes For You and Following feeds. No unrelated credentials, binaries, or install steps are requested.
SKILL.md promises a Chinese categorized digest and points to PROMPT.md; digest.js produces a JSON payload and a simple concatenated digestText but does not itself call an LLM. This is a reasonable split (script outputs items; agent/LLM performs final summarization) but is a minor mismatch between the phrasing and implementation that you should be aware of.
No install spec; instruction-only with a bundled Node script. The script uses only Node built-ins and calls the local 'bird' binary. Nothing is downloaded from remote URLs or written into system locations beyond a state file under the user's home directory.
The skill requests no environment variables or external API keys. It expects the user to have an authenticated 'bird' installation (cookie-based) — that is appropriate and proportional for reading timelines. It does write a local state file (~/.openclaw/state/x-timeline-digest.json) to track sent tweet IDs.
always:false (no forced inclusion). The only persistent artifact is a per-user state file in ~/.openclaw/state to store lastRunAt and sentTweetIds for ~30-day retention; the skill does not modify other skills or global agent configs.
Guidance
This skill appears to do what it says, but check the following before installing: - bird must be installed and already authenticated; bird will access your account timelines using whatever cookies/credentials it already has, so only install if you trust the local bird binary and its auth state. - The skill stores deduplication state at ~/.openclaw/state/x-timeline-digest.json (tweet IDs and timestamps) and keeps IDs ~30 days; if you care about local privacy you may want to inspect or relocate that file. - The script does not call any remote endpoints itself (other than invoking bird); the LLM-based Chinese summarization is expected to be performed by the agent you run (PROMPT.md + digest.json). That means the skill itself doesn't need API keys, but the agent or workflow that does the LLM summarization will — review where you send digest.json and which LLM/API keys you provide. - The implementation uses execFileSync('bird', ...) which is safer than shell execution, but confirm the 'bird' binary on your system is the expected tool and not an unexpected wrapper. - If you want exact behavior matching SKILL.md wording (automatic Chinese digest generation inside the script), note the current script only emits JSON and a simple concatenation; the LLM step is manual/agent-driven. Overall: coherent and low-risk for its purpose; proceed if you trust the local bird installation and the agent/workflow you will use for LLM summarization.
Latest Release
v1.0.2
Fix security vulnerability: replaced child_process.execSync with execFileSync to prevent command injection risks.
More by @seandong
Published by @seandong on ClawHub
