Skills
skills/thebushidocollective/han/bun-runtime/Gen Agent Trust Hub

bun-runtime

Pass

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides documentation and examples for using Bun's native shell execution utilities (Bun.$).
  • Evidence: SKILL.md demonstrates running commands like ls -la, git branch, and npm run build directly from the runtime.
  • [DATA_EXFILTRATION]: The provided example for a file upload handler contains a path traversal vulnerability surface that could lead to unauthorized file writing or system compromise.
  • Ingestion points: User-controlled data enters the system through req.formData() in the server example within SKILL.md.
  • Boundary markers: No delimiters, validation, or warnings regarding the safety of user-provided filenames are present in the documentation.
  • Capability inventory: The skill exposes capabilities for Bun.write, Bun.file access, and Bash command execution.
  • Sanitization: The example code fails to sanitize input, directly using file.name in a write operation: await Bun.write("./uploads/${file.name}", file), which allows an attacker to manipulate the target path using directory traversal sequences.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 27, 2026, 02:36 AM