Skills
skills/nucliweb/webperf-snippets/webperf-core-web-vitals/Gen Agent Trust Hub

webperf-core-web-vitals

Pass

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the mcp__chrome-devtools__evaluate_script tool to execute JavaScript directly within the browser's context. This is required for its primary purpose of measuring web performance metrics.
  • [DATA_EXFILTRATION]: The scripts collect performance timing data and resource URLs from the active browser tab. This information is returned to the agent for analysis as structured data. No evidence of unauthorized data transmission to external servers was found.
  • [PROMPT_INJECTION]: The scripts ingest element IDs and class names from the DOM of the audited website. This represents an indirect prompt injection surface since the content is controlled by external sites, but the risk is assessed as low given the auditing use case.
  • [SAFE]: The JavaScript snippets provided were evaluated and found to perform standard performance monitoring tasks. The minification used is consistent with distribution practices for browser snippets and does not hide malicious intent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 7, 2026, 02:26 PM