skills/dnyoussef/ai-chrome-extension/when-analyzing-performance-use-performance-analysis/Gen Agent Trust Hub
when-analyzing-performance-use-performance-analysis
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill frequently executes
npx claude-flow@alphato perform various analysis and optimization tasks. This command downloads and runs theclaude-flowpackage from the NPM registry. The use of an alpha version is consistent with the vendor's development workflow. - [COMMAND_EXECUTION]: The workflow involves several complex shell commands, including
forloops to iterate through agent lists and the use ofjqto parse performance metrics. These commands are integral to the automation of the performance monitoring process. - [DATA_EXFILTRATION]: The skill collects detailed performance data, including CPU, memory, and network usage. This information is used locally for establishing performance baselines and generating improvement reports, with no evidence of transmission to external third-party domains.
- [PROMPT_INJECTION]: The skill processes external JSON data generated during profiling (e.g.,
swarm-profile.json) using shell tools. This presents a potential surface for indirect prompt injection if the performance data were to be maliciously manipulated. - Ingestion points: Performance metric files and analysis results used in SKILL.md and PROCESS.md.
- Boundary markers: No explicit delimiters are used to wrap or isolate the processed performance data.
- Capability inventory: The skill possesses the capability to execute shell commands and
npxutilities based on analyzed performance data. - Sanitization: No explicit validation or sanitization of the JSON profiling data is implemented prior to processing.
Audit Metadata