bun-api
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill serves exclusively as a documentation resource for Bun APIs. All code snippets are instructional examples for developers and do not contain malicious payloads or hidden logic.
- [COMMAND_EXECUTION]: The documentation describes the
Bun.$shell API andBun.spawnfor process execution. It includes security best practices, specifically warning against shell injection and explaining how Bun's template literals provide automatic escaping for variables. - [EXTERNAL_DOWNLOADS]: The skill provides examples of fetching data from remote sources using
fetchorcurlfor data processing pipelines. These examples target well-known or placeholder domains (e.g., example.com) and are standard patterns for the described functionality. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: The documentation covers APIs that read from
Bun.stdin, local files viaBun.file(), and network sources viafetch. - Boundary markers: The documentation highlights that
Bun.$automatically escapes interpolated variables to prevent injection. - Capability inventory: The skill documents capabilities for shell execution (
Bun.$,Bun.spawn), file writing (Bun.write), and database operations (bun:sqlite). - Sanitization: The reference materials explicitly warn about the dangers of using
$.raw()and recommend using standard template interpolation for safety.
Audit Metadata