k6-perf-test-website

Warn

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The scaffolding instructions in SKILL.md and assets/README.md describe a process where user-provided workflow names are interpolated into a sed shell command to replace placeholders in project files. This pattern creates a potential shell command injection vulnerability if the user-supplied workflow name contains shell metacharacters.
  • [COMMAND_EXECUTION]: The run-with-monitor.sh script executes an embedded Python script by piping a block of code to the python3 interpreter to process and summarize CSV data generated during the load test.
  • [COMMAND_EXECUTION]: The lg-monitor.sh utility script executes several system-level commands, including pgrep, ps, top, netstat, and route, to collect resource utilization metrics from the host machine during test execution.
  • [REMOTE_CODE_EXECUTION]: Multiple test templates, including smoke.js, browser.js, and soak.js, import external JavaScript modules from https://jslib.k6.io. These modules are executed within the k6 runtime environment to provide testing utilities and assertions.
  • [EXTERNAL_DOWNLOADS]: The package.json file installs har-to-k6 and playwright as development dependencies. The skill also instructs the agent to download the Chromium browser via npx playwright install chromium as part of the setup process.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 17, 2026, 01:27 PM
Security Audit — agent-trust-hub — k6-perf-test-website