claude-api
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to install official SDKs from trusted organizations, including the
anthropicandclaude-agent-sdkPython packages, and the@anthropic-ai/sdkand@anthropic-ai/claude-agent-sdkNode.js packages. It also references official documentation and repositories underplatform.claude.comandgithub.com/anthropics/. - [COMMAND_EXECUTION]: The Agent SDK documentation (e.g., in
python/agent-sdk/README.md) describes built-in tools likeBashfor executing shell commands andEditfor modifying files. While these are documented capabilities of the SDK, they represent high-privilege operations that must be used with caution in agentic loops. - [DATA_EXFILTRATION]: The skill documents the
WebSearchandWebFetchtools, which allow an agent to retrieve content from external websites. While intended for legitimate information gathering, this capability can be a vector for data exfiltration if an agent is successfully prompted to send sensitive local data to an attacker-controlled URL. - [DATA_EXFILTRATION]: The documentation and examples (e.g., in
python/claude-api/README.md) correctly use environment variables and placeholders for API keys, avoiding the inclusion of hardcoded secrets. - [SAFE]: The skill includes security best practices, such as sanitizing filenames with
os.path.basename()to prevent path traversal attacks when handling generated files (documented inshared/tool-use-concepts.md). - [SAFE]: All external URLs and package dependencies target the official Anthropic infrastructure or well-known, trusted technology platforms.
Audit Metadata