Skills
skills/secondsky/claude-skills/Bun React SSR/Gen Agent Trust Hub

Bun React SSR

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION] (HIGH): Path Traversal. In src/server.tsx, the static file serving logic Bun.file(./public${url.pathname}) uses the request URL pathname directly without sanitization. An attacker can use .. sequences (e.g., /static/../../.env) to read sensitive files from the server's root directory, which are then returned in the HTTP response.
  • [PROMPT_INJECTION] (LOW): Indirect Prompt Injection (XSS surface). The data fetching example in src/server.tsx injects database content directly into a <script> block using ${JSON.stringify({ users })}. Because JSON.stringify does not escape HTML tags, an attacker who controls database content can execute arbitrary scripts in the user's browser (e.g., by inserting </script><script>alert(1)</script>). Evidence Chain: 1. Ingestion point: db.query in src/server.tsx; 2. Boundary markers: Absent; 3. Capability inventory: Bun.serve (network response) and Bun.file (file read); 4. Sanitization: Absent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:04 PM