skills/jeremylongshore/claude-code-plugins-plus-skills/profiling-application-performance/Gen Agent Trust Hub
profiling-application-performance
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: The script
scripts/generate_report.pycontains agenerate_scriptmethod that assembles a shell script by concatenating a static header with a user-provided template string. This allows for the runtime creation of executable scripts based on arbitrary inputs. - [PRIVILEGE_ESCALATION]: The
scripts/generate_report.pyscript automatically elevates permissions on dynamically generated shell scripts usingchmod(0o755). This facilitates immediate execution of the generated content, increasing the risk associated with script generation. - [INDIRECT_PROMPT_INJECTION]: The skill exposes an attack surface where untrusted data can influence system-level operations.
- Ingestion points: The
scripts/generate_report.pyscript accepts input through the--contentcommand-line argument, which is intended to be populated by the AI agent based on user requests. - Boundary markers: None. There are no instructions to the agent to sanitize or validate the content before passing it to the script generator.
- Capability inventory: The skill has broad execution capabilities via the
Bash(cmd:*)tool and the ability to write executable files to the file system. - Sanitization: There is no evidence of input validation, escaping, or sanitization in the Python scripts to prevent the injection of malicious commands into the generated shell scripts.
Audit Metadata