Bun Runtime

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's documentation (references/bunfig.md — the [install] section and "Auto-install Values") explicitly describes auto-installing packages from public registries (default registry = "https://registry.npmjs.org") and scoped registries, which means it can fetch and ingest arbitrary third-party (untrusted) package content as part of its runtime workflow.