bird-fast
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install and execute the '@steipete/bird' package via npm, pnpm, or bun, and a Homebrew tap (steipete/tap/bird). These originate from an individual third-party developer not included in the trusted vendors list.
- [CREDENTIALS_UNSAFE]: The tool's primary authentication method involves programmatically extracting 'auth_token' and 'ct0' cookies from the local filesystem where browser data (Safari, Chrome, Firefox) is stored. This represents unauthorized access to sensitive session credentials if the agent executes this without explicit user awareness of the underlying file access.
- [COMMAND_EXECUTION]: The skill relies extensively on executing shell commands (e.g., 'bird tweet', 'bird search') and passing user-provided strings or external data as arguments, which could lead to command injection if not properly sanitized by the underlying CLI tool.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes untrusted content from X/Twitter.
- Ingestion points: Untrusted data enters the agent context through 'bird read', 'bird search', 'bird replies', and 'bird mentions' commands.
- Boundary markers: The documentation does not specify the use of delimiters or 'ignore instructions' markers to isolate external tweet content from the agent's system prompt.
- Capability inventory: The skill provides writing capabilities ('bird tweet', 'bird reply') and access to session cookies, which an attacker could exploit via injected instructions in a read tweet.
- Sanitization: There is no evidence of content sanitization or validation before the retrieved tweet data is presented to the agent.
Audit Metadata