claude-sdk
Warn
Audited by Snyk on Jun 23, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (medium risk: 0.65). The skill’s runtime workflow can include WebFetch/WebSearch (public web content) and MCP servers (e.g., GitHub/Slack/Drive or other third-party/community servers), whose fetched/returned free-form text is ingested into the agent’s LLM context via tool outputs; this is an outsider-source path enabling indirect prompt injection.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The MCP server configuration in the skill runs external packages at runtime (e.g., "npx -y @modelcontextprotocol/server-github" and "docker run mcp-postgres-server"), which will fetch and execute remote code and can expose tool definitions that directly affect agent behavior (see the referenced MCP site https://modelcontextprotocol.io).
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill's documentation explicitly references payment-related integrations and tools: it lists Stripe as an example MCP server (a payment gateway) and includes a test/integration example asserting "process_payment" in tool_calls. Those are specific, finance-focused APIs/tools that enable sending/processing payments (i.e., moving money). Although the SDK is general-purpose, the presence of explicit payment gateway integration and a payment-processing tool constitutes direct financial execution capability.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata