performance-test
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill's configuration allows npm:* and npx:lighthouse* via the Bash tool. This permits the agent to fetch and install any package from the npm registry, which is an external and potentially untrusted source.
- [COMMAND_EXECUTION] (MEDIUM): Access to k6 and artillery binaries allows the agent to generate high-volume network traffic. If directed at unintended targets, this capability could be leveraged to perform Denial of Service (DoS) attacks.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The npx tool and npm install commands are designed to execute code directly from the npm registry. This is a form of remote code execution that, while necessary for the skill's purpose, increases the risk of executing malicious scripts.
- [CREDENTIALS_UNSAFE] (LOW): Example k6 scripts contain placeholder credentials. This sets a poor security precedent that may lead to the accidental hardcoding of real secrets in performance test files.
Audit Metadata