Bird
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@steipete/birdpackage via NPM or a Homebrew tap. These are third-party resources not affiliated with a trusted organization or well-known service.- [COMMAND_EXECUTION]: The skill relies on executing thebirdbinary to interact with the system and the X/Twitter API.- [DATA_EXFILTRATION]: The tool accesses sensitive authentication data, specifically browser cookies from Chrome, Firefox, or Brave profile directories (--chrome-profile-dir,--firefox-profile), and authentication tokens (--auth-token,--ct0), to perform actions on behalf of the user.- [PROMPT_INJECTION]: The skill fetches and processes untrusted content from X/Twitter (tweets, mentions, search results), which provides a surface for indirect prompt injection. - Ingestion points: Commands such as
bird read,bird home, andbird searchingest external data from X/Twitter directly into the agent's context as seen in theSKILL.mddescription. - Boundary markers: No explicit markers or instructions are provided to the agent to treat fetched tweet content as untrusted or to ignore embedded instructions.
- Capability inventory: Across the
SKILL.mdfile, the agent is granted capabilities to post tweets (bird tweet), follow/unfollow users (bird follow), and reply to content, which could be abused if malicious instructions are followed. - Sanitization: There is no evidence of sanitization, escaping, or filtering of the fetched content before it is presented to the agent's core logic.
Audit Metadata