electrobun
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Provides standard commands for project initialization and development using
bunx electrobun init,bun run dev, andbun run build. - [COMMAND_EXECUTION]: Includes setup instructions for Linux systems requiring
sudo apt installto obtain necessary system libraries. - [EXTERNAL_DOWNLOADS]: Documents an auto-update configuration that fetches version manifests from a remote endpoint (
https://updates.myapp.com/latest.json). - [DATA_EXFILTRATION]: Details access to persistent system paths such as
paths.userDataandpaths.appDatafor application data management. - [REMOTE_CODE_EXECUTION]: Describes a built-in update mechanism that can download and execute code for application updates from a user-configured provider.
- [PROMPT_INJECTION]: The documented RPC mechanism facilitates data transfer from a webview to the main process, presenting an indirect prompt injection surface.
- Ingestion points:
win.defineRpchandlers insrc/bun/main.tsaccept and process data from the webview process. - Boundary markers: No specific boundary markers or instructions to ignore embedded commands are present in the code examples.
- Capability inventory: The main process has the capability to write files (
Bun.write), read files (Bun.file), and open external links (shell.openExternal). - Sanitization: The templates do not demonstrate input validation or sanitization for data passed via the RPC interface.
Audit Metadata