auto-perf-optimize
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Script Generation and Execution: The skill encourages the creation of custom automation scripts in a gitignored
scratchpad/directory. These scripts are executed using Node.js to drive VS Code scenarios. While this is a core feature for performance investigations, it involves running dynamically generated code on the local system.\n- User Data Profile Management: TheuserDataProfile.mtsutility and smoke runners handle VS Code user-data directories, which can include authentication tokens and extension state. The skill includes explicit warnings and logic to keep these profiles in local, gitignored directories to prevent accidental exposure of secrets.\n- Local Command Execution: The runners use thechild_processmodule to execute local shell scripts (e.g.,scripts/code.sh) for launching the VS Code environment. This is necessary for the skill's purpose but represents the execution of local system commands.\n- Indirect Interaction Surface: The Chat memory smoke runner interacts with the VS Code Chat interface, sending prompts and reading responses. This creates a surface where content from the LLM is processed to determine UI state.\n - Ingestion points: Chat responses read via
innerTextinscripts/chat-memory-smoke.mts.\n - Boundary markers: None used for the response content processing.\n
- Capability inventory: Script generation, file writing (
summary.json, screenshots), and VS Code command execution.\n - Sanitization: No sanitization is performed on the ingested chat response text.
Audit Metadata