bun-expert
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides documentation for
Bun.$, a shell execution API, and includes logic for a self-update command usingnpx skills update. - [EXTERNAL_DOWNLOADS]: The update mechanism performs network requests to the vendor's GitHub repository (
raw.githubusercontent.com/abpai/skills) to check for version updates. - [REMOTE_CODE_EXECUTION]: Includes the standard installation command for Bun, which uses a piped shell pattern (
curl | bash) from the officialbun.shdomain. - [PROMPT_INJECTION]: Contains meta-instructions directing the agent to perform "silent" version checks and handle update logic conditionally during the session.
- [DATA_EXFILTRATION]: An indirect prompt injection surface exists due to the combination of data ingestion (via
Bun.serveroutes or WebSockets) and high-privilege capabilities such as shell execution and file system access. - Ingestion points: Data enters the agent's context through HTTP request parameters, JSON bodies, and WebSocket messages as defined in
references/builtin-apis.md. - Boundary markers: No explicit boundary markers or "ignore instructions" warnings are included in the provided code snippets to prevent the agent from following instructions embedded in external data.
- Capability inventory: The skill documents access to
Bun.$(shell execution),Bun.write(file system writes),sql(database queries), andBun.cron(persistence via scheduled tasks). - Sanitization: Documentation notes that shell interpolations in
Bun.$are automatically escaped, which mitigates simple command injection but does not eliminate prompt injection risks.
Audit Metadata