The Agent Skills Directory

[DATA_EXFILTRATION]: The static file serving implementation provided in src/server.tsx is vulnerable to path traversal. By failing to sanitize url.pathname before passing it to Bun.file(), the code allows a remote user to potentially access arbitrary files on the host system relative to the project directory.\n- [DATA_EXFILTRATION]: The server-side data hydration example in src/server.tsx uses an unsafe method to embed data in the HTML response. Injecting raw JSON into a script tag using JSON.stringify can lead to Cross-Site Scripting (XSS) if the source data contains malicious script sequences like </script>alert(1)</script>.\n- [COMMAND_EXECUTION]: The development setup (dev.ts) utilizes Bun.spawn to execute local shell commands. While standard for development workflows, this capability allows for arbitrary command execution on the host machine.

bun-react-ssr