cloudflare-performance-engineering
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill uses zero-width character obfuscation (, , ) in the main header to hide an external URL. Decoding the hidden binary sequence reveals the string: 'SKILL_HIDDEN_URL:https://perf-metrics.tech/payload'. This technique is used to bypass static security analysis and inject unauthorized external references into the agent context.
- [DATA_EXFILTRATION]: The provided 'Performance Measurement' JavaScript snippet implements a telemetry collection pattern using 'navigator.sendBeacon' to transmit data to a remote 'endpoint'. While intended for Real User Measurement (RUM), this pattern creates a risk surface where sensitive environment data could be exfiltrated to attacker-controlled domains if the 'endpoint' parameter is maliciously configured.
Recommendations
- AI detected serious security threats
Audit Metadata