webperf-loading
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses browser APIs to measure performance and does not perform any malicious operations.
- [DATA_EXFILTRATION]: No exfiltration detected. Network requests are used solely to fetch page resources for analysis.
- [PROMPT_INJECTION]: No prompt injection or bypass instructions found.
- [REMOTE_CODE_EXECUTION]: All execution logic is contained in provided scripts; no external scripts are fetched and run.
- [CREDENTIALS_UNSAFE]: Contains a defensive audit tool that scans hydration scripts for secret keys (e.g., API keys, tokens) to warn developers.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. 1. Ingestion points: Performance entries, HTML/CSS, and JSON hydration data. 2. Boundary markers: None. 3. Capability inventory: chrome-devtools MCP tools. 4. Sanitization: None. This is a common characteristic of auditing tools.
Audit Metadata