bird
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions direct the agent to run commands using
bunx birdorbunx @steipete/bird. This execution model downloads and runs a package from the npm registry at runtime, which constitutes an unverified external dependency being executed on the system. - [CREDENTIALS_UNSAFE]: The tool is specifically designed to harvest authentication cookies from the user's browser (e.g., Chrome 'Default' profile). This involves accessing sensitive local credential databases and system keychains which contain personal session tokens.
- [COMMAND_EXECUTION]: The skill operates entirely through shell command execution via the
bunxwrapper, providing the agent with a broad interface for system interaction and subprocess spawning. - [DATA_EXFILTRATION]: By accessing browser cookies and providing commands to read private data such as bookmarks, likes, and chronological timelines, the skill creates a vector for exposing sensitive personal information.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from Twitter/X.
- Ingestion points: Commands like
bunx bird read,bunx bird search, andbunx bird mentionspull external content into the agent's context (SKILL.md, references/commands.md). - Boundary markers: There are no instructions or delimiters provided to differentiate between the retrieved tweet content and the agent's core instructions.
- Capability inventory: The agent possesses the capability to execute shell commands and perform write operations (tweeting/replying) based on the data it reads.
- Sanitization: There is no mention of sanitization, filtering, or validation of the retrieved tweet content before it is processed by the agent.
Audit Metadata