Skills
skills/shiplightai/claude-code-plugin/performance-review/Gen Agent Trust Hub

performance-review

Pass

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill navigates to external, user-specified URLs to perform performance audits.
  • Evidence: Phase 3 (Analyze) uses browser navigation to collect data from a 'Target URL'.
  • [COMMAND_EXECUTION]: The skill executes JavaScript within the browser to collect performance metrics and generates test scripts for regression testing.
  • Evidence: Phase 3 contains JavaScript snippets for PerformanceObserver and Phase 5 generates a YAML regression test containing executable JavaScript.
  • [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by ingesting and processing content from external web pages.
  • Ingestion points: Browser navigation to external URLs (SKILL.md, Phase 3).
  • Boundary markers: Absent.
  • Capability inventory: Browser automation tools and file system writes for report and test generation.
  • Sanitization: No explicit sanitization or filtering of external page content is mentioned before processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 19, 2026, 04:32 PM