bird
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs the
birdbinary from unverified external sources, specifically the npm package@steipete/birdand a Homebrew tapsteipete/tap/bird. These sources do not belong to the defined trusted organizations. - [DATA_EXFILTRATION] (HIGH): The tool is explicitly designed to access and extract sensitive authentication cookies from local browser profile directories (Chrome, Firefox, Arc, Brave) and configuration files. While intended for authentication, this capability allows for the exposure of session secrets if the agent is manipulated into outputting raw data (e.g., via the
--json-fullflag). - [COMMAND_EXECUTION] (HIGH): The skill metadata defines an installation path that executes package managers to install a binary with network and filesystem access. The agent is then instructed to execute this binary with various arguments that interact with external services.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core functionality.
- Ingestion points: Commands like
bird read,bird mentions,bird search, andbird homeingest untrusted, attacker-controlled content from X/Twitter directly into the agent's context. - Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the skill definition.
- Capability inventory: The skill possesses significant 'write' capabilities, including the ability to post tweets (
bird tweet), reply to content (bird reply), and modify the social graph (bird follow). - Sanitization: There is no evidence of sanitization or filtering of the external content before it is processed by the agent. An attacker could embed instructions in a tweet that, when read by the agent, trigger unauthorized tweets or account changes.
Recommendations
- AI detected serious security threats
Audit Metadata