CtrlK
BlogDocsLog inGet started
Tessl Logo

benchmark

Performance regression detection using the browse daemon. Establishes baselines for page load times, Core Web Vitals, and resource sizes. Compares before/after on every PR. Tracks performance trends over time. Use when: "performance", "benchmark", "page speed", "lighthouse", "web vitals", "bundle size", "load time". (gstack) Voice triggers (speech-to-text aliases): "speed test", "check performance".

Invalid
This skill can't be scored yet
Validation errors are blocking scoring. Review and fix them to unlock Quality, Impact and Security scores. See what needs fixing →
SKILL.md
Quality
Evals
Security

Security

2 findings — 1 critical severity, 1 medium severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.

Critical

E004: Prompt injection detected in skill instructions

What this means

Detected a prompt injection in the skill instructions. The skill contains hidden or deceptive instructions that fall outside its stated purpose and attempt to override the agent’s safety guidelines or intended behavior.

Why it was flagged

Potential prompt injection detected (high risk: 0.90). The prompt embeds many explicit operational actions unrelated to benchmarking—telemetry/brain-sync prompts that can publish session data, automatic edits/commits to CLAUDE.md (routing injection), vendoring migration/git rm steps, and other config changes—these are hidden side-effects outside the skill's stated purpose and can modify/exfiltrate project data, so they constitute deceptive/out-of-scope instructions.

Report incorrect finding
Medium

W012: Unverifiable external dependency detected (runtime URL that controls agent)

What this means

The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.

Why it was flagged

Potentially malicious external URL detected (high risk: 0.90). The skill's setup step downloads and executes a remote installer script (curl -fsSL "https://bun.sh/install" -> bash "$tmpfile") at runtime to install a required dependency, so https://bun.sh/install is a high-confidence runtime remote-code execution risk.

Report incorrect finding
Repository
garrytan/gstack
Commit

db9447c

Audited
Security analysis
Snyk

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill