bird
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install an external CLI tool from third-party sources not included in the trusted vendors list, specifically
@steipete/birdvia NPM andsteipete/tap/birdvia Homebrew.\n- [REMOTE_CODE_EXECUTION]: The documentation includes instructions to execute remote code directly from the NPM registry using thebunxcommand, which downloads and runs the@steipete/birdpackage without a persistent installation.\n- [COMMAND_EXECUTION]: The skill primarily operates by executing thebirdcommand-line binary to perform account actions and read data.\n- [DATA_EXFILTRATION]: The tool is designed to access highly sensitive local data, including browser cookie databases and profile directories (e.g.,--chrome-profile-dir,--cookie-source), and reads configuration from~/.config/bird/config.json5. These credentials are used to authenticate requests to external servers.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted content from X/Twitter.\n - Ingestion points: Untrusted data enters the agent context through commands like
bird read,bird search,bird home, andbird mentions.\n - Boundary markers: There are no instructions or delimiters defined to separate the external social media content from the agent's internal logic.\n
- Capability inventory: The skill possesses state-changing capabilities, including
bird tweet,bird reply,bird follow, andbird unfollow, which could be exploited via injection.\n - Sanitization: The skill does not mention any sanitization, filtering, or validation of the content fetched from X/Twitter.
Audit Metadata