Bun Macros

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The provided material documents a legitimate and powerful Bun macro mechanism (bundle-time JS evaluation and inlining). The examples correctly show common use cases (env inlining, file embedding, git metadata, codegen, remote fetch). There are no explicit hardcoded secrets, obfuscated code, or overtly malicious constructs in the examples. However, because macros run arbitrary code at build time with filesystem, subprocess, and network access, they present a moderate to high supply-chain risk if macro source code is untrusted. Recommended mitigations: only use macros from trusted/ vetted authors, review macro source before running in CI, restrict sensitive environment variables in untrusted builds, run builds in least-privilege sandboxed environments, and audit any macro that invokes subprocesses or network requests. LLM verification: The documented Bun macros are legitimate examples of build-time code execution used for inlining values. There is no explicit malicious code in the provided examples. However, the design inherently grants macros high privileges (env, filesystem, subprocesses, network) and therefore represents a significant supply-chain risk if macros are untrusted or if build environments expose secrets. Treat macros as potentially dangerous: require code review, minimize secrets during builds, and restrict netw