testing-performance
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill's primary functionality involves executing CLI commands for performance testing tools including k6, Locust, and JMeter. These operations are intended for the skill's primary purpose but involve subprocess execution.
- [EXTERNAL_DOWNLOADS]: The documentation suggests installing dependencies via standard package managers (
npm install -g k6,pip install locust) and pulling Docker images (loadimpact/k6). These are recognized, well-known services and do not escalate the risk profile. - [CREDENTIALS_UNSAFE]: In the Error Handling section, the skill recommends verifying environment variables by echoing them (e.g.,
echo $K6_API_KEY). This practice can result in sensitive authentication tokens being captured in agent logs or CI/CD output, leading to credential exposure. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it executes scripts (
script.js,locustfile.py) that may be provided by external users or generated from untrusted data. - Ingestion points: Reads local script files (
script.js,locustfile.py,test_plan.jmx) for execution. - Boundary markers: None identified in the prompt templates.
- Capability inventory: Subprocess execution via
k6 run,locust, andjmeterCLI tools. - Sanitization: No specific sanitization or validation of script content is mentioned before execution.
Audit Metadata