agentica-claude-proxy
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Remote Code Execution] (MEDIUM): The skill architecture relies on a REPL parser to extract and execute Python code blocks generated by the AI agent (as described in the 'REPL Response Format' section). This dynamic execution of model-generated strings is a high-risk pattern that can be exploited if the model is manipulated into generating malicious code.\n- [Command Execution] (LOW): The skill documentation explicitly requires the 'Bash' tool and provides examples of using 'subprocess.run' to invoke the Claude CLI. This provides the agent with direct shell access and the ability to execute arbitrary commands on the host system.\n- [Indirect Prompt Injection] (LOW): The skill processes data from external tool outputs (Claude CLI). Evidence: \n
- Ingestion points: Tool outputs from the 'claude -p' command are processed by the Agentica agent.\n
- Boundary markers: None identified in the provided integration snippets.\n
- Capability inventory: The system has access to 'Bash', 'Read', and a Python REPL.\n
- Sanitization: No sanitization or validation of external tool output is documented before processing.\n- [Data Exposure] (SAFE): While the skill mentions network endpoints and log files, it uses 'localhost' and project-relative paths, with no evidence of hardcoded credentials or exfiltration of sensitive files like SSH keys or environment secrets.
Audit Metadata