agent-sdk
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection surface detected in agent templates. 1. Ingestion points: Untrusted CLI arguments in
resources/python/agent.py(sys.argv[1]) andresources/typescript/agent.ts(process.argv[2]). 2. Boundary markers: Absent; the prompt is interpolated directly into the agent's run call. 3. Capability inventory:Bash(shell execution),Write(file modification), andEdit. 4. Sanitization: Absent; no validation or escaping of external input before prompt interpolation. This combination allows an attacker to control a shell-executing agent via maliciously crafted input. - [REMOTE_CODE_EXECUTION] (MEDIUM): Documentation recommends the use of
npx -yto execute remote tools from the Model Context Protocol (MCP) registry at runtime (e.g.,@modelcontextprotocol/server-postgres). This introduces a dependency on the integrity of third-party package registries and enables remote code execution if the package is compromised. - [COMMAND_EXECUTION] (MEDIUM): The skill explicitly configures and promotes tools for arbitrary shell execution (
Bash) and file system modification (Write,Edit,Read) as core features of the generated agents. While functional, these present a high-impact capability if misused. - [EXTERNAL_DOWNLOADS] (LOW): The skill downloads dependencies from NPM and PyPI (
@anthropic-ai/claude-agent-sdk,claude-agent-sdk). Since these originate from Anthropic-managed scopes (matching the trusted organization list), this finding is downgraded to LOW per [TRUST-SCOPE-RULE].
Recommendations
- AI detected serious security threats
Audit Metadata