ClawHub

Bun Runtime

Security checks across malware telemetry and agentic risk

Overview

This Bun helper skill is not clearly malicious, but it gives an agent broad shell, filesystem, and network power without meaningful guardrails.

Install only if you intentionally want the agent to have broad local shell, filesystem, and network capabilities through Bun. Use it only in trusted workspaces, review every command, path, URL, and request body before execution, and avoid passing untrusted strings. A safer version would remove eval, avoid building bun -e code from raw inputs, constrain file access to an approved workspace, and require explicit approval for command execution and outbound requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script accepts an arbitrary string argument and executes it with shell eval, which enables unrestricted command execution. This materially exceeds the stated purpose of providing Bun-specific runtime helpers and makes the skill capable of running any shell payload the caller can supply, including destructive filesystem, process, or network actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This is an arbitrary command execution primitive: any input in COMMAND is evaluated by the shell with the privileges of the running process. In the context of an agent skill that may be invoked programmatically, this can be abused to execute destructive commands, exfiltrate secrets, modify files, or establish persistence, making the skill substantially more dangerous than its Bun-helper description suggests.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents writing arbitrary paths and automatically creating parent directories without warning about modification of user data. In practice this can overwrite files, create persistence locations, or alter project state unexpectedly, especially when driven by untrusted prompts or indirect instructions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill openly exposes shell command execution and states it 'runs shell command' without any warning or limitation. In an agent environment, arbitrary command execution is a high-risk capability because it can read secrets, modify files, install persistence, or launch further network activity based on prompt-controlled input.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents HTTP requests but does not warn that data may leave the local environment. This is dangerous because agents may include sensitive prompt content, file contents, tokens, or command results in requests to attacker-controlled endpoints without the user recognizing the privacy and security implications.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script sends arbitrary user-supplied URLs and optional bodies over the network without any warning, confirmation, or policy checks. In an agent skill context, this can cause unintended disclosure of sensitive data, surprise outbound connections, or use as a proxy to contact internal or attacker-controlled endpoints, making the network action materially security-relevant.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs shell execution silently and immediately, with no confirmation, warning, or policy gate before running attacker-controlled input. In an agent setting, the absence of a user-facing approval step increases the likelihood of unintended or covert execution of harmful commands.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal