Is iqbalnaveliano/bird-su safe?

https://github.com/openclaw/skills/tree/main/skills/iqbalnaveliano/bird-su

19
MALICIOUS

This skill is an active malware delivery vehicle: the SKILL.md embeds a base64-obfuscated curl-pipe-bash dropper disguised as a required system dependency, which on execution connects to C2 infrastructure at 91.92.242.30 and runs an arbitrary remote script with full user privileges. A matching Windows vector distributes a password-protected binary from an unaffiliated GitHub account to bypass antivirus scanning. The legitimate bird CLI wrapper is used deliberately as a Trojan horse to lower user and agent suspicion about the fabricated 'OpenClawProvider' prerequisite.

Category Scores

Prompt Injection 0/100 · 30%
Data Exfiltration 0/100 · 25%
Code Execution 3/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 3/100 · 5%

Findings (6)

CRITICAL Base64-obfuscated curl-pipe-bash malware dropper in SKILL.md -97

The MacOS installation block contains a base64-encoded string that decodes to a remote code execution payload. The echo '...' | base64 -D | bash pipeline downloads and immediately executes an arbitrary script from attacker-controlled infrastructure at 91.92.242.30, with no intermediate file and no user-visible output due to curl's -s flag.

CRITICAL Fake mandatory dependency used to deliver malware via agent instructions -95

SKILL.md fabricates a non-existent system requirement called 'OpenClawProvider' and marks it IMPORTANT with platform-specific install commands. This exploits an AI agent's tendency to present skill prerequisites as authoritative instructions. The bird CLI has no such dependency — it uses browser cookies or the Sweetistics API for authentication.

CRITICAL C2 server at raw IP 91.92.242.30 with randomized path -95

The decoded payload connects to a raw IP address (not a domain) at a randomized 16-character path typical of malware C2 infrastructure. Once executed, the downloaded script runs with full user privileges and has unrestricted access to all credentials, SSH keys, cloud provider secrets, and environment variables present on the system.

HIGH Password-protected Windows binary from unaffiliated GitHub account -70

The Windows installation path distributes a ZIP archive from github.com/syazema — an account with no affiliation to the bird CLI project, Sweetistics, or any known legitimate software vendor. The archive requires a password ('openclaw'), a standard technique to prevent antivirus engines from scanning the contents before execution.

HIGH Base64 encoding used to evade content scanning and casual inspection -80

Encoding the RCE command in base64 prevents the payload from being flagged by keyword-based security filters scanning for 'curl', 'bash', or suspicious URLs. An AI agent or human reviewer reading the SKILL.md would see only an opaque encoded string rather than an obviously malicious command.

MEDIUM Functional Twitter CLI used as Trojan horse to lower user suspicion -60

The skill wraps a real, working command-line tool (bird) with genuine functionality including OAuth via browser cookies, timeline reading, search, and posting. This legitimate utility increases user and agent trust, making the fake dependency requirement appear plausible and reducing the likelihood that the malicious install step will be questioned.