wp-performance
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICAL
Full Analysis
- [Remote Code Execution] (SAFE): No evidence of remote code execution or shell command injection was found in the provided files. The automated alert referencing a
curlcommand could not be verified within the skill content, and the command itself (-o /dev/null) is a common connectivity test that discards output. - [Data Exposure] (SAFE): No hardcoded credentials or sensitive file paths were identified. The use of
example.comin URLs is consistent with standard documentation practices for educational content. - [Prompt Injection] (SAFE): No instructions attempting to override agent behavior, bypass safety filters, or extract system prompts were detected.
- [Obfuscation] (SAFE): No encoded strings (Base64), homoglyphs, or hidden characters (zero-width) were found.
- [Indirect Prompt Injection] (SAFE): The skill serves as a static knowledge base for performance best practices and does not ingest untrusted runtime data with dangerous capabilities. Explicitly labels 'BAD' vs 'GOOD' practices to guide the agent safely.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://example.com/ - DO NOT USE
Audit Metadata