perf-expert
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core function is to ingest untrusted data from external websites (via audit tools) and use that data to generate code fixes and prioritize tasks. This creates a significant attack surface where a malicious website could embed instructions in its HTML (e.g., comments or meta tags) designed to subvert the agent's behavior.
- Ingestion points: External website source code and metadata processed by Lighthouse, unlighthouse, and pa11y.
- Boundary markers: Absent. The skill does not instruct the agent to ignore or delimit instructions found within the audited content.
- Capability inventory: The agent is authorized to recommend specific code modifications and shell commands to the user, providing a path for malicious instructions to influence the user's environment.
- Sanitization: Absent. There is no logic provided to filter or escape content retrieved from the audited URLs.
- [Remote Code Execution] (MEDIUM): The skill relies on
npxto run tools likelighthouse,unlighthouse, andpa11y.npxdownloads and executes packages from the npm registry at runtime, which can be a vector for supply chain attacks or typosquatting, especially for third-party tools likeunlighthouse. - [Command Execution] (LOW): The skill explicitly instructs the agent to run shell commands (
npx,du -sh) to gather data. While standard for performance auditing, this capability should be used with caution when combined with inputs from untrusted external sources.
Recommendations
- AI detected serious security threats
Audit Metadata