performance-profiling
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The script
scripts/lighthouse_audit.pyinvokes thelighthouseCLI tool usingsubprocess.run. - Ingestion Point: The script accepts a URL from
sys.argv[1]. - Capability Inventory: Uses
subprocess.runto call external software. - Analysis: Although the script correctly avoids
shell=Trueby passing arguments as a list, it still passes user-controlled data (the URL) to an external process. This is a common pattern for utility skills and is considered low risk when using reputable tools like Lighthouse, but it technically constitutes an attack surface for indirect prompt injection or command argument manipulation if the underlying tool has vulnerabilities. - [EXTERNAL_DOWNLOADS] (SAFE): The skill documentation and scripts reference the
lighthousepackage from npm. This is a well-known, trusted dependency for web performance auditing.
Audit Metadata