lighthouse
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes local scripts (scripts/psi-measure.mjs) and project-defined commands (npm run typecheck, npm test, npm run lint:all) to measure performance and verify code quality.
- [COMMAND_EXECUTION]: Utilizes node -e to dynamically parse and extract metrics from JSON report files, which involves runtime evaluation of code strings.
- [CREDENTIALS_UNSAFE]: References the storage and use of PAGESPEED_API_KEY within .dev.vars or environment variables.
- [DATA_EXFILTRATION]: Performs git push to remote repositories, which exports local code and potential project secrets to external infrastructure.
- [PROMPT_INJECTION]: Susceptible to indirect prompt injection through the ingestion of external PageSpeed Insights report data. Ingestion points: reports/ directory JSON files. Boundary markers: None. Capability inventory: Bash, Write, Edit, git push. Sanitization: No validation of ingested JSON structure or content is performed.
Audit Metadata