performance-profiling
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/lighthouse_audit.pyfile usessubprocess.runto execute thelighthousecommand-line utility. The implementation follows security best practices by passing arguments as a list rather than a shell string, mitigating common shell injection vulnerabilities. - [EXTERNAL_DOWNLOADS]: The skill references the
lighthouseNode.js package. This is a well-known, official performance auditing tool maintained by Google. - [DATA_EXFILTRATION]: The script handles performance audit data using temporary files which are subsequently deleted after processing. No unauthorized access to sensitive local files, credentials, or exfiltration to untrusted domains was detected.
- [PROMPT_INJECTION]:
- Ingestion points: The
scripts/lighthouse_audit.pyscript accepts a URL via command-line arguments as described inSKILL.md. - Boundary markers: Not present for the input URL variable.
- Capability inventory: Subprocess execution of external CLI tools (
lighthouse) inscripts/lighthouse_audit.py. - Sanitization: The input URL is passed directly to the subprocess call without explicit validation or escaping.
Audit Metadata