bun

The skill behavior is broadly aligned with Bun’s intended purpose as a unified JavaScript runtime/toolkit, including installation, project management, and runtime usage. However, it employs explicit download-and-execute installation patterns (curl | bash, PowerShell to invoke remote script). This creates a notable supply-chain/remote-execution risk, particularly if the user cannot verify the installer or if the domain is compromised. Data flows inside Bun usage appear normal for a developer tool, with no credentials or outbound data beyond typical network calls, but the initial install vector warrants caution. Overall assessment: SUSPICIOUS due to the download-execute installation pattern, with a moderate elevation of risk due to supply-chain exposure. If this skill is intended for production-grade usage, replace remote installer with a verified, signed installer or a package-manager-based bootstrap to reduce risk.