performance-profiling
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security risks were identified in the skill components.\n- [EXTERNAL_DOWNLOADS]: The skill uses well-known, industry-standard performance tools (Clinic.js, 0x, Lighthouse, Autocannon) installed via the official NPM registry. These are appropriate and safe for the stated functionality.\n- [COMMAND_EXECUTION]: Shell commands are limited to performance profiling (e.g., node --inspect, clinic doctor, autocannon). There is no use of sudo or other privilege escalation techniques.\n- [DATA_EXFILTRATION]: Network operations are restricted to localhost for load testing or well-known example domains for documentation. No sensitive data access or exfiltration patterns were found.\n- [PROMPT_INJECTION]: The skill contains no adversarial instructions or safety bypass attempts. It includes an indirect prompt injection surface as it analyzes external profiling data, but the risk is low and typical for this type of utility.\n
- Ingestion points: User-provided profiling logs, metrics, and flame graph output (SKILL.md).\n
- Boundary markers: Absent (no explicit delimiters for ingested profiling data).\n
- Capability inventory: The agent has access to Read, Write, Edit, and Bash tools.\n
- Sanitization: Absent (no specific validation of external profiling data).
Audit Metadata