wxt-skills
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill documentation instructs users to install the Bun runtime via
curl -fsSL https://bun.sh/install | bashandirm https://bun.sh/install.ps1 | iex. These commands pipe remote scripts directly into the system shell, allowing for arbitrary code execution. Although bun.sh is a reputable developer resource, the method lacks cryptographic integrity verification and originates from a source not included in the Trusted External Sources list. - Evidence: Found in SKILL.md and cli/bun-cheatsheet.md.
- [EXTERNAL_DOWNLOADS] (LOW): The skill utilizes
bunx wxt@latest initto download project templates from remote npm registries. - Evidence: Found in SKILL.md and cli/bun-cheatsheet.md.
- [COMMAND_EXECUTION] (LOW): The skill includes various CLI commands for managing the development lifecycle of browser extensions (e.g.,
bun run dev,wxt build). These are consistent with the skill's stated purpose.
Recommendations
- HIGH: Downloads and executes remote code from: https://bun.sh/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata