web-perf

Functional web-performance audit instructions that are mostly coherent with their stated purpose. The primary supply-chain risk is the recommended MCP bootstrap using `npx -y chrome-devtools-mcp@latest` (an unpinned, dynamic download-and-execute). That pattern enables code execution from the npm registry at runtime and is a high-risk vector. Secondary risks stem from collecting detailed traces and network request bodies that can contain sensitive data; the skill doesn't instruct redaction or limits on captured data. No explicit malicious code is present in the document, but the install/execution guidance and lack of data-handling constraints make this skill suspicious from a supply-chain and data-exposure perspective. Recommend: require a pinned, audited version of the MCP package (or vendor-supplied binary with checksum), add guidance to avoid capturing authenticated resources or to redact sensitive headers/bodies, and document explicit least-privilege usage and retention policies for traces.