wp-performance
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/perf_inspect.mjsutility executes WP-CLI commands using thespawnSyncfunction. Arguments are passed as an array rather than a single string, which is a secure implementation that prevents shell injection vulnerabilities. - [EXTERNAL_DOWNLOADS]: The skill mentions installing official WP-CLI packages (e.g.,
wp-cli/doctor-command). These references point to official and well-known repositories, adhering to trusted source guidelines. - [SAFE]: The skill instructions and scripts were reviewed for prompt injection, data exfiltration, and obfuscation; no such malicious vectors were identified. The use of the
--allow-rootflag is a standard operational requirement for WP-CLI in specific environments like Docker and does not constitute a security flaw in this context.
Audit Metadata