claude-agent-sdk
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides template files (
workflows/add-custom-tools.mdandtemplates/custom-tool-python.py) that demonstrate using the Pythoneval()function to process user-provided strings for a calculator tool. Executing untrusted code viaevalis a high-risk pattern that can be exploited for arbitrary code execution if not strictly controlled. - [COMMAND_EXECUTION]: The SDK features a built-in
Bashtool that allows agents to execute arbitrary terminal commands. Multiple documentation files and templates (references/built-in-tools.md,templates/agent-with-tracking-python.py) show how to enable and use this capability, which provides a direct path to host system manipulation. The SDK documents various permission modes like 'bypassPermissions' that skip safety checks. - [PROMPT_INJECTION]: The skill documentation describes building agents that ingest untrusted data from the web (
WebSearch,WebFetch) or local files (Read). This creates a significant surface for indirect prompt injection. - Ingestion points: Files like
references/built-in-tools.mddescribe tools that read external content into the agent context. - Boundary markers: Explicit delimiters or warnings to ignore embedded instructions are not enforced by default in the provided templates.
- Capability inventory: The skill includes powerful tools such as
Bash,Write,Edit, andTask(references/built-in-tools.md). - Sanitization: The SDK provides hooks and permission handlers for sanitization (
references/permissions.md), but they require manual implementation by the developer.
Audit Metadata