k6-perf-test-website
Warn
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The scaffolding instructions in
SKILL.mdandassets/README.mddescribe a process where user-provided workflow names are interpolated into asedshell command to replace placeholders in project files. This pattern creates a potential shell command injection vulnerability if the user-supplied workflow name contains shell metacharacters. - [COMMAND_EXECUTION]: The
run-with-monitor.shscript executes an embedded Python script by piping a block of code to thepython3interpreter to process and summarize CSV data generated during the load test. - [COMMAND_EXECUTION]: The
lg-monitor.shutility script executes several system-level commands, includingpgrep,ps,top,netstat, androute, to collect resource utilization metrics from the host machine during test execution. - [REMOTE_CODE_EXECUTION]: Multiple test templates, including
smoke.js,browser.js, andsoak.js, import external JavaScript modules fromhttps://jslib.k6.io. These modules are executed within the k6 runtime environment to provide testing utilities and assertions. - [EXTERNAL_DOWNLOADS]: The
package.jsonfile installshar-to-k6andplaywrightas development dependencies. The skill also instructs the agent to download the Chromium browser vianpx playwright install chromiumas part of the setup process.
Audit Metadata