Claude SDK Expert

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly exposes the agent to untrusted public web content — SKILL.md lists WebFetch/WebSearch as built-in tools and the included resources/code-examples.py (research_agent) demonstrates using web_search/web_fetch to retrieve and summarize arbitrary web pages/search results that the agent reads and acts on.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The mcp_integration_example invokes an npx command to fetch and run the @modelcontextprotocol/server-github package at runtime (npx -y @modelcontextprotocol/server-github — https://www.npmjs.com/package/@modelcontextprotocol/server-github), which executes remote code and supplies MCP context that can directly control agent prompts/instructions and is used as a required runtime dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly lists Stripe (a payment gateway) among "Popular MCP Servers" and describes MCP integration for defining custom tools. That implies the SDK is intended to integrate directly with payment APIs (e.g., Stripe) enabling agents to call payment endpoints or perform transactions. Because a specific payment gateway is named and MCP tooling is a primary feature, this grants direct financial execution capability.