wp-performance
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill utilizes high-privilege commands including
wp profile evalfor dynamic PHP execution andwp db queryfor direct SQL operations. These are necessary for deep performance profiling but represent a large attack surface. It also references a local scriptperf_inspect.mjswhich was not provided in the skill files. - EXTERNAL_DOWNLOADS (LOW): The instructions suggest installing WP-CLI packages (
wp-cli/doctor-commandandwp-cli/profile-command) from GitHub. As thewp-cliorganization is not on the trusted whitelist, these are categorized as unverifiable external dependencies. - PROMPT_INJECTION (LOW): The skill exhibits an indirect prompt injection surface. 1. Ingestion points: Data is read from external WordPress REST API headers and JSON envelopes (references/query-monitor-headless.md). 2. Boundary markers: Absent. 3. Capability inventory: The agent can execute arbitrary PHP, SQL, and install packages via WP-CLI. 4. Sanitization: No explicit validation or sanitization of ingested REST data is defined.
Audit Metadata