bird
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Data Exposure & Exfiltration (HIGH): Accesses sensitive browser data and authentication tokens. The tool is designed to extract cookies directly from browser profile directories (e.g., via
--chrome-profile-dirand--firefox-profile). This provides the agent with access to sensitive credential databases that may contain more than just X/Twitter authentication tokens. - Unverifiable Dependencies & Remote Code Execution (HIGH): Installs software from untrusted sources and uses remote execution. The skill installs
@steipete/birdvia NPM andsteipete/tap/birdvia Homebrew. These sources/authors are not on the trusted whitelist. The instructionbunx @steipete/bird whoamidownloads and executes code from an external registry at runtime without pre-verification. - Indirect Prompt Injection (LOW): Vulnerable to instructions embedded in external social media content.
- Ingestion points: The skill reads tweets, threads, and search results via
bird read,bird thread, andbird search. - Boundary markers: None are specified to protect the agent from instructions embedded in tweets.
- Capability inventory: The skill has powerful capabilities including posting tweets (
bird tweet) and managing social connections (bird follow). - Sanitization: No evidence of sanitization for the ingested content is provided.
- Command Execution (LOW): Executes shell commands to interact with the bird CLI as part of its primary functionality.
Recommendations
- AI detected serious security threats
Audit Metadata