bird
Fail
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements a routine to download an opaque binary executable from
https://github.com/zaydiscold/bird/releases/download/v0.8.0/birdto/tmp/bird, modifies its permissions withchmod +x, and moves it to~/.local/bin/birdfor execution. - [DATA_EXFILTRATION]: The instructions include logic to probe macOS Safari and Chrome browser profile directories for sensitive authentication tokens (
auth_tokenandct0). It searches for these credentials in tool output and persists them into a local configuration file at~/.config/bird/config.json5. - [COMMAND_EXECUTION]: Executes shell commands to manage tool installation, verify binary availability, and modify the environment
PATH. It also usesrg(ripgrep) to extract authentication tokens from temporary files. - [EXTERNAL_DOWNLOADS]: Fetches release assets from the author's GitHub repository rather than utilizing a verified package manager or standard system distribution channel.
- [PROMPT_INJECTION]: The skill processes external data from Twitter/X (tweets, mentions, and search results), creating a surface for indirect prompt injection attacks.
- Ingestion points: Data is ingested via
bird read,bird thread,bird search, andbird mentionscommands. - Boundary markers: None identified; external tweet content is handled as raw text without delimiters to differentiate data from instructions.
- Capability inventory: The agent has access to the
Bashtool to run thebirdbinary, which can perform network requests and modify the local filesystem. - Sanitization: Implements basic URL host normalization but does not perform sanitization on the body text of search results or tweets.
Recommendations
- HIGH: Downloads and executes remote code from: https://github.com/zaydiscold/bird/releases/download/v0.8.0/bird - DO NOT USE without thorough review
Audit Metadata