Skills
skills/aj-geddes/useful-ai-prompts/performance-testing/Gen Agent Trust Hub

performance-testing

Pass

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill includes hardcoded example credentials within its performance testing templates.
  • Evidence: The files SKILL.md.original and references/k6-for-api-load-testing.md contain a k6 script with the hardcoded credentials email: "test@example.com" and password: "password123" for a login simulation.
  • [COMMAND_EXECUTION]: The skill provides multiple instructions for executing shell commands and external binaries to run performance tests.
  • Evidence:
  • File references/k6-for-api-load-testing.md: Contains commands for running k6 tests, such as k6 run load-test.js.
  • File references/apache-jmeter.md: Contains instructions for executing JMeter CLI tests: jmeter -n -t test-plan.jmx -l results.jtl -e -o report/.
  • File references/jmh-for-java-benchmarking.md: Includes commands for building and running Java benchmarks: mvn clean install and java -jar target/benchmarks.jar.
  • File scripts/validate-api.sh: A shell script provided to execute validation tasks on API specification files.
  • [EXTERNAL_DOWNLOADS]: The skill references and provides examples for well-known performance testing tools and libraries.
  • Evidence: The guidance covers the implementation and usage of k6, Apache JMeter, pytest-benchmark, JMH, and SQLAlchemy. These are well-established technologies from recognized organizations.
  • [PROMPT_INJECTION]: The skill presents a vulnerability surface for indirect prompt injection by processing external data from multiple sources.
  • Ingestion points: Data is ingested from external API responses in references/k6-for-api-load-testing.md and database query results in references/database-query-performance.md.
  • Boundary markers: There are no explicit boundary markers or instructions provided to the agent to ignore or isolate potential commands embedded within the processed external data.
  • Capability inventory: The skill has the capability to perform network requests (via k6 and fetch) and execute shell commands (k6, jmeter, mvn, java).
  • Sanitization: No sanitization, validation, or escaping of the external content is performed before the data is used in subsequent logic or output.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 4, 2026, 01:16 PM