performance-engineer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill originates from an untrusted repository (
github.com/Charon-Fan/agent-playbook), which does not fall within the defined [TRUST-SCOPE-RULE]. - COMMAND_EXECUTION (MEDIUM): The skill uses
Bashto execute various profiling tools and its own internal Python scripts (scripts/profile.py,scripts/perf_report.py). This grants the agent the ability to execute code in the local environment, which is dangerous if the target code is malicious. - PROMPT_INJECTION (HIGH): The skill exhibits a high vulnerability to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill is specifically designed to read, analyze, and optimize application source code and logs provided by the user (as seen in
SKILL.mdPhase 1 and 2). - Boundary markers: Absent. The instructions do not define delimiters or provide 'ignore embedded instructions' warnings for the code being processed.
- Capability inventory: The skill is granted
Bash,Write, andEditpermissions, allowing it to execute arbitrary processes and modify the file system based on potentially malicious inputs. - Sanitization: None. There is no evidence of validation or sanitization of user-provided code before it is passed to profiling tools or modification scripts.
- DATA_EXFILTRATION (LOW): The
SKILL.mdfile suggests usingcurlto hit external domains (https://example.com/users) that are not on the trusted whitelist, which is a minor network safety violation. - DYNAMIC_EXECUTION (MEDIUM): The
metadatahooks (self-improving-agent) suggest a mechanism for the agent to modify its behavior or 'learn' from performance patterns in the background, which could be exploited to persist malicious instructions derived from processed data.
Recommendations
- AI detected serious security threats
Audit Metadata