claude-agent-sdk
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The file
examples.mdprovides an implementation for anexecute_codetool that uses thesubprocessmodule to run arbitrary Python and Bash commands on the local system. - [EXTERNAL_DOWNLOADS]: The
scripts/check_drift.pyutility fetches content from external documentation sources (including Anthropic's official domains and community repositories) using therequestslibrary to monitor for updates. - [DATA_EXFILTRATION]: Implementation templates for filesystem tools in
examples.md(safe_file_operation) permit the agent to read and write files based on user-provided or agent-generated paths. - [PROMPT_INJECTION]: The skill architecture is designed for autonomous agents that ingest untrusted data (user tasks) while possessing extensive system capabilities, creating a surface for Indirect Prompt Injection.
- Ingestion points: Untrusted user tasks entering the agent context via the
Agent.run()method inSKILL.mdandexamples.md. - Boundary markers: The skill suggests role-based system prompts for instructions but does not enforce hard delimiters for user input by default.
- Capability inventory: High-privilege tool capabilities including shell access (
bash), file operations, and MCP server integration are documented acrossreference.mdandexamples.md. - Sanitization: While
examples.mdprovides aSecurityValidationHookfor filtering dangerous command patterns, it is presented as an optional example rather than a required architectural constraint.
Audit Metadata