claude-code-headless
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The integration patterns in
references/integration-patterns.mdprovide templates for Express.js and FastAPI servers that wrap the CLI. These examples take user-provided prompts and tool lists directly from HTTP request bodies and pass them as arguments tospawnandsubprocess.run. While these methods are generally safer than shell execution, they create a high-risk surface for prompt-driven command execution and lack any input validation or authentication. - [PROMPT_INJECTION] (LOW): The skill documents and encourages the use of the
--permission-mode bypassPermissionsflag (found inSKILL.mdandreferences/cli-options.md). This allows the agent to perform file modifications and execute bash commands without any human-in-the-loop confirmation, significantly increasing the impact of any successful prompt injection. - [INDIRECT_PROMPT_INJECTION] (LOW): Mandatory Evidence Chain for
references/integration-patterns.md: - Ingestion points: The skill recommends piping untrusted data like
git diffand PR descriptions directly into the agent viacat diff.txt | claude -p .... - Boundary markers: Absent. The examples do not use delimiters or instructions to ignore embedded commands in the diffs.
- Capability inventory: The documented usage involves tools with high impact, specifically
Bash,Write, andEdit. - Sanitization: None provided in the shell script or CI/CD templates.
- [CREDENTIALS_UNSAFE] (SAFE): While
ANTHROPIC_API_KEYis mentioned, it is correctly identified as an environment variable to be managed via secrets managers (e.g., GitHub Secrets) rather than being hardcoded.
Audit Metadata