when-analyzing-performance-use-performance-analysis

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill frequently executes npx claude-flow@alpha to perform various analysis and optimization tasks. This command downloads and runs the claude-flow package from the NPM registry. The use of an alpha version is consistent with the vendor's development workflow.
  • [COMMAND_EXECUTION]: The workflow involves several complex shell commands, including for loops to iterate through agent lists and the use of jq to parse performance metrics. These commands are integral to the automation of the performance monitoring process.
  • [DATA_EXFILTRATION]: The skill collects detailed performance data, including CPU, memory, and network usage. This information is used locally for establishing performance baselines and generating improvement reports, with no evidence of transmission to external third-party domains.
  • [PROMPT_INJECTION]: The skill processes external JSON data generated during profiling (e.g., swarm-profile.json) using shell tools. This presents a potential surface for indirect prompt injection if the performance data were to be maliciously manipulated.
  • Ingestion points: Performance metric files and analysis results used in SKILL.md and PROCESS.md.
  • Boundary markers: No explicit delimiters are used to wrap or isolate the processed performance data.
  • Capability inventory: The skill possesses the capability to execute shell commands and npx utilities based on analyzed performance data.
  • Sanitization: No explicit validation or sanitization of the JSON profiling data is implemented prior to processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 03:21 AM
Security Audit — agent-trust-hub — when-analyzing-performance-use-performance-analysis