The Agent Skills Directory

[PROMPT_INJECTION]: The skill documents several APIs (including Bun.file(), Bun.stdin, and Bun.serve()) that ingest data from external, potentially untrusted sources like the filesystem, network, or standard input. While the documentation notes that the shell API (Bun.$) provides automatic escaping, the use of these ingestion points in conjunction with documented capabilities for shell execution and database manipulation creates an indirect prompt injection surface.
Ingestion points: External data enters the agent context through file reads (SKILL.md), streaming standard input (references/file-io.md), and the built-in HTTP server's fetch handler (references/http-server.md).
Boundary markers: The documentation does not specify or demonstrate the use of boundary markers (e.g., XML tags) or instructions to the agent to disregard embedded commands in the data it processes.
Capability inventory: The skill documents a wide range of powerful capabilities, including shell command execution via Bun.$ and Bun.spawn, persistent file system modification via Bun.write, and database operations via Bun.sql and bun:sqlite.
Sanitization: The documentation correctly highlights that the Bun.$ API automatically escapes interpolated variables, which is a key security measure against traditional command injection, though it does not address indirect prompt injection logic.

bun-api