skills/adobe/skills/cwv-optimizer/Gen Agent Trust Hub

cwv-optimizer

Pass

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses curl in multiple steps (Step 1, 4, and 7) to fetch page headers and HTML content for analysis. These are standard diagnostic operations used to establish performance baselines and inventory resources.
  • [EXTERNAL_DOWNLOADS]: The skill fetches Real User Monitoring (RUM) data from bundles.aem.page and utilizes the @adobe/rum-distiller library. These are official Adobe resources and utilities consistent with the skill's purpose for AEM EDS optimization.
  • [PROMPT_INJECTION]: The skill processes content from external URLs, creating a potential surface for indirect prompt injection. However, it explicitly mitigates this risk in the 'External Content Safety' section by instructing the agent to treat fetched content as untrusted, avoid executing scripts, and not follow unauthorized redirects.
  • Ingestion points: SKILL.md (Steps 1, 4, and 7) fetch external HTML and JS files.
  • Boundary markers: The 'External Content Safety' section provides explicit instructions to ignore embedded commands in fetched data.
  • Capability inventory: The skill uses curl for fetching and grep for parsing; no arbitrary code execution or filesystem writes are requested beyond temporary file storage for curl output.
  • Sanitization: Instructions mandate that the agent must not interpret dynamic content or execute scripts from fetched pages.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 7, 2026, 10:54 AM
Security Audit — agent-trust-hub — cwv-optimizer