bun-runtime-best-practices

Teaches best practices for Bun runtime, focusing on file I/O, environment variables, and subprocess management for improved performance.

Install this skill

or

0/100

Security score

The bun-runtime-best-practices skill was audited on Mar 1, 2026 and we found 42 security issues across 2 threat categories, including 3 critical. Review the findings below before installing.

Categories Tested

Security Issues

critical line 127

Direct command execution function call

SourceSKILL.md

127	### Use Bun.spawn() Instead of child_process

high line 135

Direct command execution function call

SourceSKILL.md

135	const child = spawn("ls", ["-la"]);

critical line 138

Direct command execution function call

SourceSKILL.md

138	✅ Prefer: Bun.spawn()

high line 142

Direct command execution function call

SourceSKILL.md

142	const proc = Bun.spawn(["ls", "-la"]);

high line 147

Direct command execution function call

SourceSKILL.md

147	const proc = Bun.spawn(["git", "status"], {

high line 166

Direct command execution function call

SourceSKILL.md

166	const proc = Bun.spawn(["sh", "-c", "echo Hello && date"], {

high line 173

Direct command execution function call

SourceSKILL.md

173	const proc1 = Bun.spawn(["ls", "-la"], { stdout: "pipe" });

high line 174

Direct command execution function call

SourceSKILL.md

174	const proc2 = Bun.spawn(["grep", ".ts"], {

high line 357

Direct command execution function call

SourceSKILL.md

357	const proc = Bun.spawn(["echo", "hello"], { stdout: "pipe" });

critical line 644

Direct command execution function call

SourceSKILL.md

644	3. Processes: Use `Bun.spawn()` instead of `child_process`

medium line 207

Template literal with variable interpolation in command context

SourceSKILL.md

207	const configPath = `${import.meta.dir}/config.json`;

medium line 222

Template literal with variable interpolation in command context

SourceSKILL.md

222	const configPath = `${import.meta.dir}/../config.json`;

medium line 429

Template literal with variable interpolation in command context

SourceSKILL.md

429	ws.send(`Echo: ${message}`);

medium line 488

Template literal with variable interpolation in command context

SourceSKILL.md

488	const users = await pg`SELECT * FROM users WHERE active = ${true}`;

medium line 492

Template literal with variable interpolation in command context

SourceSKILL.md

492	const posts = await mysql`SELECT * FROM posts LIMIT ${10}`;

medium line 496

Template literal with variable interpolation in command context

SourceSKILL.md

496	const data = await sqlite`SELECT * FROM table WHERE id = ${123}`;

medium line 514

Template literal with variable interpolation in command context

SourceSKILL.md

514	const [newUser] = await db`

medium line 521

Template literal with variable interpolation in command context

SourceSKILL.md

521	const users = await db`

medium line 530

Template literal with variable interpolation in command context

SourceSKILL.md

530	await tx`INSERT INTO accounts (user_id, balance) VALUES (${userId}, ${0})`;

medium line 531

Template literal with variable interpolation in command context

SourceSKILL.md

531	await tx`UPDATE users SET has_account = true WHERE id = ${userId}`;

medium line 535

Template literal with variable interpolation in command context

SourceSKILL.md

535	const getUser = db.prepare`SELECT * FROM users WHERE id = ${0}`;

medium line 550

Template literal with variable interpolation in command context

SourceSKILL.md

550

await db`

medium line 556

Template literal with variable interpolation in command context

SourceSKILL.md

556	const products = await db`

medium line 564

Template literal with variable interpolation in command context

SourceSKILL.md

564	await db`INSERT INTO products (name, price) VALUES ${values}`;

medium line 575

Template literal with variable interpolation in command context

SourceSKILL.md

575	const users = await db`SELECT * FROM users WHERE active = ${true}`;

medium line 127

Node child_process module reference

SourceSKILL.md

127	### Use Bun.spawn() Instead of child_process

medium line 129

Node child_process module reference

SourceSKILL.md

129	❌ Avoid: child_process

low line 132

Node child_process module reference

SourceSKILL.md

132	import { spawn } from "child_process";

low line 133

Node child_process module reference

SourceSKILL.md

133	import { exec } from "node:child_process";

medium line 644

Node child_process module reference

SourceSKILL.md

644	3. Processes: Use `Bun.spawn()` instead of `child_process`

medium line 90

Access to .env file

SourceSKILL.md

90	### Use Bun.env Instead of process.env

medium line 92

Access to .env file

SourceSKILL.md

92	❌ Avoid: process.env

low line 95

Access to .env file

SourceSKILL.md

95	const apiKey = process.env.API_KEY;

low line 96

Access to .env file

SourceSKILL.md

96	const port = process.env.PORT \|\| "3000";

medium line 99

Access to .env file

SourceSKILL.md

99	✅ Prefer: Bun.env

low line 102

Access to .env file

SourceSKILL.md

102	const apiKey = Bun.env.API_KEY;

low line 103

Access to .env file

SourceSKILL.md

103	const port = Bun.env.PORT ?? "3000";

low line 105

Access to .env file

SourceSKILL.md

105	// Bun.env is typed and provides better autocomplete

low line 106

Access to .env file

SourceSKILL.md

106	// Load from .env file automatically

low line 122

Access to .env file

SourceSKILL.md

122	const env = EnvSchema.parse(Bun.env);

low line 149

Access to .env file

SourceSKILL.md

149	env: { ...Bun.env, GIT_AUTHOR_NAME: "Bot" },

medium line 643

Access to .env file

SourceSKILL.md

643	2. Environment: Use `Bun.env` instead of `process.env`

Scanned on Mar 1, 2026

View Security Dashboard

Installation guide →

GitHub Stars 7

Rate this skill

Categorydevelopment

UpdatedMay 13, 2026

openclaw backend backend-developer fullstack-developer devops-sre development

shepherdjerred/monorepo