find-similar-functions
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill recommends using
bunx @rayhanadev/truffler, which downloads and executes code from a remote third-party package registry. This can be exploited if the package or the author's account is compromised.\n- [EXTERNAL_DOWNLOADS]: Execution ofbunx @rayhanadev/trufflertriggers a download of the package from the NPM registry at runtime.\n- [COMMAND_EXECUTION]: The skill relies on shell command execution to perform its primary tasks, using tools likebun,bunx, and thetrufflerbinary.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes external data (source code) without proper boundaries or sanitization.\n - Ingestion points: Scans source code directories (e.g.,
src/) to identify symbols.\n - Boundary markers: Missing markers to distinguish between legitimate code and potentially malicious instructions embedded in comments or strings.\n
- Capability inventory: Significant capabilities including shell command execution (
bun,bunx).\n - Sanitization: No validation or filtering is performed on the data retrieved from the files before it is processed by the agent.
Audit Metadata