xbird
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill is designed to 'auto-detect' and extract sensitive authentication cookies (auth_token and ct0) from Chrome, Firefox, Edge, and Safari browsers on the host machine to facilitate 'zero-config' Twitter access.
- [CREDENTIALS_UNSAFE] (HIGH): In the REST and ACP protocols, these extracted credentials are sent to a remote third-party server (
https://xbirdapi.up.railway.app). While the documentation claims the server is 'stateless' and uses 'E2E encryption', the credentials leave the local security boundary to an unverified endpoint. - [COMMAND_EXECUTION] (HIGH): Setup instructions require users to run
npx @checkra1n/xbirdorbunx @checkra1n/xbird. This executes code from an npm package maintained by an untrusted author, allowing for arbitrary local command execution. - [EXTERNAL_DOWNLOADS] (MEDIUM): The installation process fetches and runs multiple packages from the npm registry (@checkra1n/xbird, @x402/fetch) which are not part of the trusted developer list.
- [PROMPT_INJECTION] (LOW): The skill ingests untrusted data from the Twitter API (e.g., via
search_tweetsandget_mentions) and presents it to the agent, creating a surface for indirect prompt injection attacks. - Ingestion points: tools.md (search_tweets, get_mentions, get_home_timeline)
- Boundary markers: None identified in the provided tool documentation.
- Capability inventory: tools.md (post_tweet, update_profile, upload_media)
- Sanitization: No evidence of sanitization for incoming tweet content.
Recommendations
- AI detected serious security threats
Audit Metadata