Skills
skills/gyorkluu/electrobun-skills/electrobun-distribution/Gen Agent Trust Hub

electrobun-distribution

Pass

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill documents the use of standard build and distribution tools such as bun, signtool, and xcrun for administrative tasks.
  • [REMOTE_CODE_EXECUTION]: Implements a standard auto-update feature that fetches remote metadata and executes binary installers. This behavior is documented as the primary functionality of the distribution skill.
  • [EXTERNAL_DOWNLOADS]: Configures network requests to a remote update server for fetching application updates and manifests.
  • [PROMPT_INJECTION]: Identifies a surface for indirect prompt injection via the processing of remote JSON update manifests (updates.json). The skill provides a standard implementation without explicit boundary markers for untrusted metadata.
  • Ingestion points: src/bun/main.ts (Updater fetches updates.json)
  • Boundary markers: Absent
  • Capability inventory: src/bun/main.ts (downloadAndInstall, quitAndInstall)
  • Sanitization: Absent
  • [SAFE]: Demonstrates secure handling of sensitive credentials by utilizing GitHub Actions secrets (e.g., secrets.GITHUB_TOKEN, secrets.MAC_CERTIFICATE) rather than hardcoding values.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 10, 2026, 04:52 AM