Is web-perf safe?

The audit target 'web-perf' was installed alongside 'adhd-assistant', a separate skill with significantly broader capability requests including persistent memory storage, file read/write for task lists, scheduling system access, and trigger-phrase-based auto-activation. While this may be a legitimate co-install, the adhd-assistant skill expands the agent's permission surface well beyond what 'web-perf' claims to need.

The skill instructs the agent to recommend the user install 'chrome-devtools-mcp@latest' via npx. While this is a legitimate setup step for Chrome DevTools integration, it directs execution of a third-party npm package. The package is named specifically and can be verified, but supply chain risks exist with any npx -y invocation.

The adhd-assistant skill defines broad trigger phrases ('I feel overwhelmed', 'I have too much to do', 'My brain is all over the place') that could cause the skill to activate during normal conversations, potentially overriding user intent or other skill behaviors.

The adhd-assistant skill requests read/write access to user task files, dopamine menu documents, and weekly review summaries. Without proper sandboxing, this file access could be leveraged to read or write sensitive files.

The skill recommends executing 'npx -y chrome-devtools-mcp@latest' which auto-installs and runs a remote package without version pinning. A compromised npm package could execute arbitrary code.

Phase 5 instructs the agent to search for build configs (webpack, vite, next.config), package.json dependencies, source maps, and polyfill configurations. This is legitimate for performance auditing but provides a structured reconnaissance methodology that maps the target project's build infrastructure.

The navigate_page tool call accepts any URL, giving the agent capability to load arbitrary web pages. In the context of performance auditing this is expected, but it could be chained with other capabilities for unintended purposes.