skills/jeremylongshore/claude-code-plugins-plus-skills/detecting-performance-regressions/Gen Agent Trust Hub
detecting-performance-regressions
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The scripts
scripts/create_github_comment.pyandscripts/generate_report.pyimplement agenerate_scriptmethod that writes a template string to a.shfile and then applies executable permissions viachmod 0o755. Since the content of this script can be provided via command-line arguments, this allows for the creation of executable files from arbitrary strings. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection due to its handling of untrusted CI/CD performance data.
- Ingestion points:
scripts/analyze_metrics.pytraverses and analyzes files from external CI/CD build environments. - Boundary markers: No delimiters or instructions are used to ensure the agent ignores malicious instructions embedded within the performance data.
- Capability inventory: The skill possesses the capability to write files and create executable scripts.
- Sanitization: There is no evidence of data sanitization or validation of the metric inputs before they are utilized in reporting or script generation logic.
Audit Metadata