Back to skill

Security audit

Bun Runtime

Security checks across malware telemetry and agentic risk

Overview

This Bun helper is not clearly malicious, but it gives an agent broad command, file, and network power without meaningful guardrails.

Install only if you intentionally want an agent to have broad local shell, filesystem, and network capabilities. Review every command, path, URL, method, and request body before use, avoid untrusted input, and prefer a safer version that removes eval, avoids raw string interpolation into bun -e, limits file paths and network destinations, and requires explicit approval for destructive or outbound actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises network-capable behavior but does not declare corresponding permissions or safety boundaries. Undeclared capabilities reduce transparency and can bypass policy or user expectations, especially when a skill can transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior claims Bun-native operations, but the finding indicates the implementation includes arbitrary shell command execution via eval and shell-based globbing. That mismatch is dangerous because consumers may trust the skill as a constrained Bun helper when it can actually execute arbitrary commands, greatly increasing command injection and unintended system access risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script takes an arbitrary string argument and executes it with Bash `eval`, which enables command injection and full shell execution in the skill context. This is especially dangerous because the skill is presented as a Bun runtime helper, yet it exposes unrestricted process execution that can read/write files, exfiltrate data, or run destructive system commands far beyond narrowly scoped Bun operations.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill's declared purpose is Bun-specific runtime functionality, but this script provides generic shell execution, materially expanding capability and attack surface beyond the stated scope. That mismatch makes the behavior more dangerous because callers may trust the skill as a bounded Bun helper while it can actually execute arbitrary OS commands.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger language is broad enough to activate on common requests involving files, processes, or networking, which can cause the skill to be invoked in contexts where the user did not intend powerful side effects. Overbroad activation increases the chance of accidental file modification, command execution, or data transmission.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents file-writing functionality without warning that it can modify user data or create directories. In this context, filesystem writes are inherently sensitive because they can overwrite files, change project state, or persist malicious content if invoked carelessly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents shell command execution without warning about system-level impact, and the surrounding context suggests commands may be passed as free-form strings. This is dangerous because it can lead to arbitrary command execution, destructive system changes, credential exposure, or command injection if untrusted input is included.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill documents network requests without warning that data may be sent to external systems. In a skill that also handles files and commands, network access raises exfiltration and privacy risks because local or derived data could be transmitted off-host without sufficient user awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script performs arbitrary outbound HTTP requests to a user-supplied URL and returns the response body, with no confirmation, allowlist, or disclosure mechanism. In an agent skill context, that creates SSRF and data-exfiltration risk because the agent can be induced to contact internal services or transmit sensitive body data to attacker-controlled endpoints.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Executing user-influenced input through `eval` without any warning, confirmation, or safety gate allows high-risk actions to occur silently. In an agent skill context, the absence of disclosure or confirmation increases the chance of accidental or unauthorized destructive commands being executed under the user's trust boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.