perf-profiling
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by instructing the agent to place user-provided URLs and API endpoints into shell commands for performance analysis.\n
- Ingestion points: The skill uses placeholders such as and in SKILL.md for targeting performance tests.\n
- Boundary markers: No explicit delimiters or instructions are provided to the agent to treat these inputs as untrusted or to ignore embedded instructions.\n
- Capability inventory: The skill utilizes commands like curl, npx lighthouse, wrk, and node -e in SKILL.md.\n
- Sanitization: There are no mechanisms described for sanitizing or escaping the input strings before they are interpolated into executable command strings.\n- [COMMAND_EXECUTION]: The skill instructs the agent to execute various CLI tools and scripts to collect performance data, including curl for network timing, wrk for benchmarking, and node --prof for CPU analysis.\n- [EXTERNAL_DOWNLOADS]: The skill references and installs well-known performance auditing tools from public registries, such as Google's Lighthouse via npx and memory_profiler via pip. These are documented as standard practices for the intended functionality.
Audit Metadata