performance-reporter
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill consists entirely of Markdown-based reporting templates and configuration instructions. No executable scripts (Python, JavaScript, or Shell) are present in the provided files.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it is designed to ingest and process untrusted data from external SEO tools (e.g., page titles, search queries, and analytics metrics). If an attacker controls the data appearing in these sources, they could attempt to influence the agent's summary output. However, the skill lacks dangerous capabilities such as file system writes or arbitrary command execution, which significantly limits the potential impact of such an attack.
- [EXTERNAL_DOWNLOADS]: The documentation references a skill library hosted on a trusted domain (skills.sh) and provides installation instructions using a standard package runner (npx). These references are for skill management and do not constitute malicious remote code execution within the skill's logic.
Audit Metadata