bird
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses high-impact write capabilities (tweeting, following, replying) alongside data ingestion from untrusted external sources (reading tweets, search results, mentions).
- Ingestion Points:
bird read,bird search,bird mentions, andbird homefetch content from X/Twitter. - Boundary Markers: None identified; the agent receives raw tweet text which may contain instructions.
- Capability Inventory: Includes
bird tweet,bird reply,bird follow, andbird unfollow(subprocess calls). - Sanitization: Likely absent; raw output from the CLI is passed directly to the agent context.
- Data Exposure & Credential Handling (MEDIUM): The tool is designed specifically to extract and use sensitive browser cookies (
auth_token,ct0) and accesses local browser profile directories (e.g., Arc, Chrome, Firefox cookie DBs). - External Downloads (MEDIUM): Installation relies on unverified external sources: a Homebrew tap (
steipete/tap/bird) and an NPM package (@steipete/bird). These are not within the defined trusted sources list. - Command Execution (LOW): The skill functions by executing shell commands. While expected for a CLI wrapper, it increases the attack surface if combined with prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata