claude-agent-sdk-python

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly exposes web-based tools ("WebSearch", "WebFetch" in Built-in Tools) and shows MCP integration that runs an external "github" MCP server (npx @modelcontextprotocol/server-github) which would fetch public GitHub content, so the agent can ingest untrusted, user-generated third-party content that can influence its actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly exposes a "bypassPermissions" permission_mode and includes examples allowing Bash/Write tools and external MCP commands (npx, docker), which enable agents to execute system-level actions and circumvent permission controls, so it can be used to compromise the host state.