Security Audit

bun-runtime

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

bun-runtime received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 3 critical, 2 high, 0 medium, and 1 low severity. Key findings include Node lockfile missing, Direct Shell Command Injection via 'eval', Bun JavaScript Code Injection via unsanitized URL/Method/Body.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

98%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

5 findings

Shell Execution

5 findings

Dynamic Code

4 findings

Excessive Permissions

2 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Direct Shell Command Injection via 'eval' The `scripts/bun-process.sh` script directly executes user-provided input `$COMMAND` using `eval`. This allows an attacker to execute arbitrary shell commands on the host system with the privileges of the script, leading to full system compromise, data exfiltration, or denial of service. Do not use `eval` with untrusted input. If shell command execution is necessary, use a safer method that properly escapes or sanitizes input, or use a dedicated API that does not involve `eval`. Consider using `Bun.spawn` with an array of arguments to prevent shell interpretation.	LLM	scripts/bun-process.sh:13
CRITICAL	Bun JavaScript Code Injection via unsanitized URL/Method/Body The `scripts/bun-fetch.sh` script constructs a `bun -e` command by directly embedding user-provided `$URL`, `$METHOD`, and `$BODY` into a JavaScript string without proper sanitization. An attacker can inject arbitrary JavaScript code by including single quotes in these variables, breaking out of the string literal and executing malicious code within the Bun runtime. This can lead to data exfiltration (e.g., reading environment variables or local files), arbitrary network requests, or further command execution. Sanitize or escape all user-provided inputs (`$URL`, `$METHOD`, `$BODY`) before embedding them into the `bun -e` JavaScript string. A safer approach would be to pass these values as environment variables or arguments to a separate Bun script, rather than embedding them directly into the command string.	LLM	scripts/bun-fetch.sh:15
CRITICAL	Bun JavaScript Code Injection via unsanitized Filepath/Data The `scripts/bun-fs.sh` script constructs `bun -e` commands by directly embedding user-provided `$FILEPATH` and `$DATA` into JavaScript strings without proper sanitization. An attacker can inject arbitrary JavaScript code by including single quotes in these variables, leading to execution of malicious code within the Bun runtime. This allows for arbitrary file reads and writes, data exfiltration (e.g., reading environment variables or sensitive files), or further command execution. Sanitize or escape all user-provided inputs (`$FILEPATH`, `$DATA`) before embedding them into the `bun -e` JavaScript string. Implement strict path validation to restrict file operations to designated directories. A safer approach would be to pass these values as environment variables or arguments to a separate Bun script, rather than embedding them directly into the command string.	LLM	scripts/bun-fs.sh:11
HIGH	Excessive Permissions: Arbitrary File Read and Write Access The `scripts/bun-fs.sh` script allows reading and writing to arbitrary file paths specified by the user. The `read` action can disclose the content of any file accessible by the Bun process, and the `write` action can create or overwrite any file, including sensitive system files, potentially leading to system compromise, data corruption, or information disclosure. This broad filesystem access is excessive for a general-purpose skill. Implement strict access controls and path validation. Restrict file operations to a specific, sandboxed directory (e.g., a temporary working directory) and prevent access to sensitive system paths. Require explicit user confirmation or additional authorization for operations outside the designated sandbox.	LLM	scripts/bun-fs.sh:11
HIGH	Shell Command Injection via unsanitized pattern in array assignment The `scripts/bun-glob.sh` script uses user-provided input `$PATTERN` directly in a shell array assignment `files=($PATTERN)`. This allows for shell command injection if `$PATTERN` contains command substitution (e.g., `$(command)`) or other shell metacharacters. While the script attempts to filter for existing files, the injected command will still be executed, potentially leading to arbitrary command execution, side effects, or information disclosure. Avoid using untrusted input directly in shell array expansions. If globbing is required, use a dedicated and safe globbing function or library that does not involve shell interpretation of the pattern. If shell globbing is unavoidable, ensure the input is strictly validated to prevent command substitution or other shell metacharacters.	LLM	scripts/bun-glob.sh:12
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/rabin-thami/bun-runtime/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/b5104dd67042d5d1.svg)](https://skillshield.io/report/b5104dd67042d5d1)