bird
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the 'bird' CLI utility from third-party sources not included in the trusted vendors list. It references installation via 'npm install -g @steipete/bird' and 'brew install steipete/tap/bird'.
- [DATA_EXPOSURE]: The tool is designed to handle sensitive authentication credentials which could be exposed if handled improperly.
- Evidence: It accepts '--auth-token' and '--ct0' as command-line arguments, which can lead to secret exposure in process listings or shell history.
- Evidence: It accesses local file systems to extract session cookies from browser profiles using the '--chrome-profile-dir' and '--firefox-profile' flags.
- [COMMAND_EXECUTION]: The skill facilitates the execution of an external binary ('bird') with various parameters to perform network operations and local file access.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it processes untrusted data from an external social media platform.
- Ingestion points: Untrusted data enters the agent context via 'bird read', 'bird search', 'bird thread', and 'bird home' commands as described in SKILL.md.
- Boundary markers: No boundary markers or 'ignore' instructions are defined to separate untrusted tweet content from agent instructions.
- Capability inventory: The skill possesses write capabilities including 'bird tweet', 'bird reply', 'bird follow', and 'bird unfollow', which could be triggered by malicious instructions embedded in read tweets.
- Sanitization: There is no evidence of sanitization or filtering of the fetched content before it is processed by the agent.
Audit Metadata