cost-benchmark
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute a local JavaScript file (
bench.mjs) using Node.js. This is a standard operation for running performance benchmarks within a development repository. - [CREDENTIALS_UNSAFE]: The instructions describe the retrieval of sensitive API keys (
GOOGLE_AI_API_KEY,ANTHROPIC_API_KEY) fromgcloud secretsor via environment variable overrides. While this involves sensitive data, it follows standard secret management practices for developer tools. - [PROMPT_INJECTION]: The skill ingests data from a 'structural+adversarial corpus' (
booster-corpus.json). This represents an indirect prompt injection attack surface where untrusted data is processed by the agent, though the stated purpose is for diagnostic and benchmarking purposes.
Audit Metadata