bun

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] The document is a benign, practical guide for using Bun instead of Node.js. The main security concern is the unpinned pipe-to-shell installer (curl | bash) and lack of guidance for dependency vetting and pinning. Those are supply-chain risks, not proof of malware. Recommend: inspect and pin installer code/releases, avoid executing unverified scripts, pin CI/action versions, and treat bun.lockb handling according to team policy. No explicit malicious code found in the provided text. LLM verification: The document is legitimate documentation for using the Bun runtime, but it contains supply-chain risky guidance: specifically, recommending `curl -fsSL https://bun.sh/install | bash` and unpinned GitHub Action usage. There are no direct indicators of malware or obfuscation in this file, but the unverified install and lack of integrity/pinning controls raise the package's supply-chain security risk to a medium level. Recommendations: avoid pipe-to-shell; provide pinned release and checksum/signat