fe-perf
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is inherently susceptible to indirect prompt injection because its core function is to read and analyze source code files provided by the user or an external project. Malicious instructions could be hidden within comments or metadata of the files being optimized.
- Ingestion points: Source code files (e.g., .tsx, .js) and package.json files passed through the $ARGUMENTS variable.
- Boundary markers: The skill does not define specific delimiters or warnings to ignore instructions within the analyzed data.
- Capability inventory: The skill identifies performance issues and provides an 'Application' step, which implies the ability to modify (write) local project files.
- Sanitization: No sanitization or validation of the file content is specified before the agent processes it.
- [COMMAND_EXECUTION] (SAFE): The skill utilizes standard, well-known development commands such as
npx vite-bundle-visualizerandnext build. These are used for their intended purpose of bundle analysis. - [EXTERNAL_DOWNLOADS] (SAFE): The skill references a wide range of reputable, high-traffic NPM packages including lodash, date-fns, and lucide-react. No suspicious or obfuscated dependency patterns were identified.
Audit Metadata