golang-performance
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it is designed to ingest and analyze untrusted user Go source code and benchmark outputs.
- Ingestion points: The skill reads Go source files and profiling data (pprof, benchstat) provided in the agent's context.
- Boundary markers: While the skill uses structured templates, it lacks explicit instructions to identify and ignore potentially malicious directives embedded within user-provided code comments or string literals.
- Capability inventory: The skill environment allows for command execution via bash (go, curl, git, etc.) and network access through WebFetch.
- Sanitization: No specific filtering or validation of the processed code content is described in the instruction files.
- [SAFE]: The skill follows professional performance engineering practices, emphasizing the use of profiling (pprof, fgprof) before applying any code changes.
- [SAFE]: Recommended third-party dependencies are from reputable organizations (e.g., Uber, HashiCorp, Elastic, Grafana) or are vendor resources from the author (samber).
- [SAFE]: No evidence of hardcoded credentials, malicious obfuscation, persistence mechanisms, or privilege escalation was found in the provided files.
Audit Metadata