canary
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Downloads the official Bun installation script from bun.sh, which is a well-known service for JavaScript runtimes.
- [REMOTE_CODE_EXECUTION]: Executes the downloaded installation script via bash. The process includes a mandatory SHA-256 checksum verification to ensure the script has not been tampered with before execution.
- [COMMAND_EXECUTION]: Runs several local utility scripts for session management, configuration, and environment detection from the skill's own bin directory.
- [COMMAND_EXECUTION]: Modifies the project's CLAUDE.md file to add routing rules for AI agent skills, which only occurs after explicit user approval through a decision prompt.
- [DATA_EXFILTRATION]: Collects anonymous usage telemetry including skill name and execution duration. The skill implements a clear opt-in prompt for the user before any data is logged to local or remote endpoints.
Audit Metadata