Claude Agent Sdk
WarnAudited by ClawScan on May 10, 2026.
Overview
This is mostly a Claude Agent SDK reference, but an included MCP template appears to evaluate an agent-supplied expression as code, which should be reviewed before use.
Review the templates before copying them into a project, especially `templates/custom-mcp-server.ts`. Avoid any eval-based tool, keep permissions narrow, protect API keys and session IDs, and connect agents only to trusted MCP servers.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this template as-is could let an agent execute unintended JavaScript in your local or server environment.
The supplied static scan reports a custom MCP template evaluating a tool argument as JavaScript. In an agent tool, that argument may be influenced by the model or user, creating arbitrary code execution risk if the template is copied or run.
const result = eval(args.expression);
Do not use the eval-based template unchanged. Replace it with explicit safe functions, a restricted expression parser, strong input validation, and sandboxing if code execution is truly required.
If copied into the wrong environment, agent workflows could modify files or run shell commands without normal approvals.
The skill documents high-impact permission modes. It also clearly labels bypass mode as dangerous and recommends sandboxed use, so this is purpose-aligned but important for users to notice.
`bypassPermissions` ... "Auto-approves EVERYTHING: All file operations, All bash commands, All tools"
Prefer default permissions, narrow `allowedTools`, use `canUseTool` checks, and reserve `bypassPermissions` for isolated containers or CI environments.
Leaking or mishandling the API key could expose your Anthropic account or incur usage charges.
The SDK examples require an Anthropic API key. This is expected for the stated purpose, but the key grants account and billing access.
export ANTHROPIC_API_KEY="sk-ant-..."
Store API keys in environment variables or a secrets manager, avoid committing them, and use the least-privileged credential available.
Sensitive prompts, code, or decisions may persist across resumed sessions if users store and reuse session IDs carelessly.
The skill teaches session persistence and session ID storage. This is central to SDK session management, but preserved context can include sensitive data or stale instructions.
"Persistent conversations" ... "Agent remembers everything" ... "Store session IDs for later use"
Protect session IDs, avoid placing secrets in prompts, and start a fresh session when switching trust boundaries or unrelated tasks.
A misconfigured or untrusted MCP server could receive tool requests or credentials intended for another service.
The skill documents remote MCP server connections with authorization headers. This is expected for MCP integrations, but it creates a trust boundary with an external tool server.
url: "https://api.example.com/mcp", headers: { "Authorization": "Bearer token" }Use only trusted MCP servers, scope tokens narrowly, verify endpoints, and whitelist the specific MCP tools an agent may call.