Skills
skills/jezweb/claude-skills/claude-agent-sdk/Gen Agent Trust Hub

claude-agent-sdk

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION / DYNAMIC_EXECUTION] (CRITICAL): The file templates/custom-mcp-server.ts defines a calculate tool that executes arbitrary JavaScript using eval(args.expression). Since the expression is derived from the agent's input (which can be influenced by untrusted user prompts), this allows for direct code execution on the host system.
  • [COMMAND_EXECUTION] (HIGH): Multiple files (e.g., templates/multi-agent-workflow.ts, templates/permission-control.ts) provide templates that grant agents access to the Bash tool. The implemented security check (canUseTool) relies on a narrow blacklist (e.g., rm -rf, shutdown) which is easily bypassed by attackers using alternative commands (e.g., perl, python, curl, nc).
  • [INDIRECT_PROMPT_INJECTION] (HIGH): The skill templates are designed to ingest untrusted data (tasks, code reviews) and process them using agents with high-privilege capabilities.
  • Ingestion points: The prompt parameter in query() and the task variable in templates/multi-agent-workflow.ts receive raw input from users or external sources.
  • Boundary markers: Absent. Instructions are directly interpolated into agent prompts without delimiters or isolation.
  • Capability inventory: Agents are granted Bash, Write, Edit, and Read permissions across the filesystem and shell (documented in templates/subagents-orchestration.ts and templates/permission-control.ts).
  • Sanitization: Only superficial blacklisting of specific bash strings is present, which does not prevent sophisticated prompt injection attacks targeting file operations or network exfiltration.
  • [CREDENTIALS_UNSAFE] (MEDIUM): The templates/permission-control.ts and references/permissions-guide.md explicitly mention and permit patterns that modify or access sensitive files like .env, credentials, secrets, and .ssh/ with only a simple 'ask' prompt, which can be bypassed via prompt injection or user social engineering.
  • [PRIVILEGE_ESCALATION] (HIGH): The documentation in references/permissions-guide.md and code in templates/permission-control.ts promotes the use of bypassPermissions mode, which removes all safeguards and grants the AI agent unrestricted root-equivalent access to the execution environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 15, 2026, 08:32 PM