last30days
Warn
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill includes a bundled Twitter GraphQL client (
bird-search) that programmatically accesses local browser cookie databases (Safari, Chrome, Firefox) to extract session tokens. This involves high-privilege access to sensitive local authentication data stored at paths such as~/Library/Application Support/Google/Chrome/Default/Cookies. - [CREDENTIALS_UNSAFE]: The bundled client code in
scripts/lib/vendor/bird-search/lib/twitter-client-base.jscontains a hardcoded Bearer token used for API authentication with X (Twitter). - [COMMAND_EXECUTION]: The skill executes local scripts and system utilities like
yt-dlpandnodevia subprocess calls to perform its research and data extraction functions. - [EXTERNAL_DOWNLOADS]: Outbound network requests are made to various service providers including OpenAI, xAI, Reddit, YouTube, Brave Search, Parallel AI, and OpenRouter to gather research data.
- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection. It ingests untrusted content from Reddit threads, X posts, and YouTube transcripts (ingestion points:
last30days.py,openai_reddit.py,xai_x.py,youtube_yt.py) and provides this data to the agent for synthesis. The skill lacks explicit boundary markers or instructions to ignore embedded commands within the processed data, and the agent environment has capabilities (Bash, Write) that could be targeted by a successful injection.
Audit Metadata