Claude Agent Sdk

Security checks across malware telemetry and agentic risk

Overview

This is mostly a Claude Agent SDK documentation skill, but it includes runnable examples with unsafe code evaluation and broad agent edit/shell authority, so users should review it before installing or running templates.

Install only if you are specifically building with Claude Agent SDK. Before running or copying templates, replace the eval-based calculator with a safe math parser, avoid printing API keys, keep credentials in environment/secret storage, restrict workingDirectory and allowedTools, require human approval for Write/Edit/Bash and production actions, and run agent workflows in a sandbox or disposable branch.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (16)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The calculate tool evaluates attacker-controlled input with JavaScript eval(), which can lead to arbitrary code execution in the server process rather than simple arithmetic. In an MCP tool context, this is especially dangerous because the agent can be induced to pass untrusted expressions into the tool, potentially enabling command execution, data theft, or process compromise.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The auto-trigger list includes broad use-case phrases such as general development and operations tasks that can match many ordinary requests unrelated to this specific skill. In an agentic system, overbroad activation can cause the wrong skill to load, introducing unnecessary capabilities or guidance around tool use, filesystem access, and autonomous execution into contexts where the user did not intend it.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The error-based triggers include generic phrases like CLI, authentication, timeout, permission, and validation failures that are common across many tools and workflows. This can misroute unrelated troubleshooting requests into this skill, potentially causing unsafe assumptions, incorrect remediation, or unintended exposure to agent/tooling workflows that are more powerful than necessary.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README promotes autonomous agents, tool integration, MCP servers, session management, and filesystem settings, but it does not clearly warn users about execution, file access, persistent session state, or side effects. In this context, the omission is security-relevant because the skill is explicitly designed for coding agents, SRE systems, and automation, where users may unknowingly enable impactful operations on local files or external systems.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation provides HTTP MCP examples with Authorization headers and remote endpoints without warning that prompts, tool inputs, and tokens may be sent to third-party services. In an agent-building skill, users may copy these patterns directly and inadvertently exfiltrate secrets or sensitive data to external systems.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill instructs users to set ANTHROPIC_API_KEY but does not warn against hardcoding, logging, committing, or exposing the key in shell history and shared environments. This omission can contribute to credential leakage, especially in copy-paste onboarding workflows.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guide includes an Authorization header with an inline bearer token placeholder but does not explicitly instruct readers to source secrets from environment variables or a secret manager, avoid hardcoding, and prevent logging of credentials. In documentation for agent plugins and remote MCP servers, this omission can normalize unsafe secret-handling patterns that lead to credential exposure in code, configs, or telemetry.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation instructs users to print the full value of ANTHROPIC_API_KEY with `echo $ANTHROPIC_API_KEY`, which can expose secrets in terminal history, shell logs, screen recordings, CI logs, or shared sessions. Even though this is framed as troubleshooting guidance, encouraging full secret disclosure is unsafe and can directly lead to credential compromise.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Multiple specialized agents are granted the Bash tool, enabling arbitrary shell command execution from model-driven workflows. Although there is a lightweight denylist and confirmation for some production commands, this is not a safe sandbox and does not meaningfully constrain the broad command surface available to the agents, making prompt injection or task manipulation potentially lead to local command execution.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow passes process.cwd() as the working directory to the agent, exposing the local project and potentially adjacent sensitive files to model-controlled tools such as Read, Grep, and Bash. In a multi-agent autonomous DevOps context, this materially increases the risk of unauthorized file access, secret discovery, or environment reconnaissance if prompts or tool use are influenced by malicious input.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The logging example stores full tool input and explicitly suggests forwarding it to an external service, which can capture prompts, file paths, command arguments, secrets, or other sensitive data without any minimization or warning. In an agent SDK context where tool inputs may include credentials or proprietary code, this creates a realistic risk of sensitive data exposure through logs or third-party telemetry.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The template explicitly grants the agent Write and Edit capabilities while prompting it to "fix any vulnerabilities," yet there is no approval gate, dry-run mode, or user confirmation before changes are applied. In an agent skill used for coding, security auditing, or troubleshooting, this can lead to unintended or unsafe code modification, including destructive edits or incorrect security fixes, especially if the model misidentifies issues.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This template orchestrates production deployment using subagents with Bash access and explicitly targets production, but it provides no explicit user confirmation, approval gate, or dry-run safeguard before destructive or production-affecting actions. In an agent skill context, that makes accidental or prompt-induced deployment changes materially risky because the workflow normalizes autonomous execution against live systems.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The incident-response workflow grants agents Bash and Edit capabilities to investigate and implement fixes, yet it does not clearly disclose to the user that the workflow may modify code or live systems as part of remediation. During urgent incident handling, this increases the chance of unintended file changes, unsafe hotfixes, or production-impacting commands being executed without meaningful operator awareness or consent.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: options: { model: "claude-sonnet-4-5", workingDirectory: "/path/to/project", permissionMode: "acceptEdits" // Auto-approve file edits } });
Confidence: 84% confidence
Finding: Auto-approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: } } // Staging auto-approves edits if (environment === 'staging') { if (toolName === 'Write' || toolName === 'Edit') { return { behavior: "allow" };
Confidence: 81% confidence
Finding: auto-approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal