anthropic-docs-updater
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests untrusted external data and has the capability to modify the filesystem of another skill.
- Ingestion points:
scripts/fetch-docs.pydownloads content fromraw.githubusercontent.com(lines 17-20). - Boundary markers: None. The
scripts/process-docs.pyscript performs only "basic processing" and does not add delimiters or warnings to the content before it is stored. - Capability inventory:
scripts/update-skill.pycontains capabilities to delete the target skill's directory (shutil.rmtreeat line 86) and overwrite its files (shutil.copy2at line 41). - Sanitization: None. Content is read and written as raw text without validation or escaping.
- [External Downloads] (LOW): The skill makes network requests to fetch updates and documentation.
- Evidence:
scripts/check-updates.py(line 30) andscripts/fetch-docs.py(line 20) use therequestslibrary. - Status: Downgraded to LOW per [TRUST-SCOPE-RULE] because the target repositories (
anthropics/anthropic-sdk-pythonandanthropics/claude-agent-sdk-python) are within the trustedanthropicsorganization.
Recommendations
- AI detected serious security threats
Audit Metadata