perf-analyzer
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Prompt Injection] (SAFE): No evidence of instructions attempting to bypass safety filters, extract system prompts, or override agent behavior.
- [Data Exposure & Exfiltration] (SAFE): No sensitive file paths (e.g., .ssh, .env) or network exfiltration patterns detected. The skill only provides structural templates for performance reporting.
- [Obfuscation] (SAFE): The file is written in plain markdown with no Base64, zero-width characters, or encoded commands.
- [Unverifiable Dependencies & RCE] (SAFE): The skill does not perform any package installations (npm/pip) or execute remote scripts. It mentions libraries like 'date-fns' and 'lodash' solely as recommendations for the user to optimize their own code.
- [Privilege Escalation] (SAFE): No commands requesting administrative or root access (e.g., sudo, chmod) are present.
- [Indirect Prompt Injection] (LOW): While the skill is designed to ingest and analyze user-provided code (untrusted data), it lacks the 'Capability Inventory' (no subprocess calls, file-write, or network operations) necessary for an attacker to leverage the ingestion point for a malicious outcome.
- [Dynamic Execution] (SAFE): There is no use of eval(), exec(), or runtime compilation logic within the skill instructions.
Audit Metadata