perf-optimizer
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill utilizes local shell commands (
cat,jq,grep,wc) and Node.js scripts located within the project repository (development/perf-ci/,development/performance-server/) to process performance metrics. These actions are standard for developer tooling. - [DATA_EXPOSURE] (SAFE): The skill accesses local performance session logs stored in
~/perf-sessions/and writes temporary metrics to/tmp/. It does not attempt to access sensitive system files (e.g., SSH keys, credentials) or transmit data to external servers. - [Indirect Prompt Injection] (LOW): The skill ingests data from log files (
mark.log,function_call.log) which are generated during app execution. While these are external inputs, the agent uses them specifically for metric extraction and documentation. There is a theoretical risk of log-based injection if the app under test is malicious, but the impact is limited by the skill's restricted capabilities. - [REMOTE_CODE_EXECUTION] (SAFE): No patterns of downloading and executing remote scripts (e.g.,
curl | bash) were found. All execution targets local, project-specific files.
Audit Metadata