Skills
skills/dangaogit/bun-server-skills/bun-server-websocket/Gen Agent Trust Hub

bun-server-websocket

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the @dangao/bun-server package, which is an unverified third-party dependency not associated with a trusted organization.
  • [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
  • Ingestion points: Data enters the system via the handleMessage method in ChatGateway and RoomChatGateway within SKILL.md.
  • Boundary markers: No delimiters or isolation techniques are used to separate untrusted user input from the execution logic.
  • Capability inventory: The skill possesses the capability to broadcast unvalidated messages to all connected clients via client.send, allowing for the potential spread of malicious instructions in a multi-agent environment.
  • Sanitization: No sanitization or content validation is performed on the incoming message before it is logged or re-broadcast.
  • [INFO] (LOW): The automated scanner alerts regarding 'clients.de' are false positives; the string is part of the JavaScript method call this.clients.delete(ws).
Recommendations
  • AI detected serious security threats
  • Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 09:29 AM