claude-agent-sdk

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill documentation and templates provide instructions for building agents capable of executing arbitrary shell commands via the 'Bash' tool. It includes a specific security template (templates/hook-example-python.py) that demonstrates how to implement hooks to intercept and block dangerous commands such as fork bombs and unauthorized file modifications.
  • [COMMAND_EXECUTION]: The templates templates/custom-tool-python.py and workflows/add-custom-tools.md include a 'calculate' tool example that utilizes Python's eval() function to process mathematical expressions from agent input. While the examples attempt to sandbox the execution by restricting __builtins__, this pattern creates a risk surface for dynamic code execution if the input is not strictly validated.
  • [SAFE]: Static detection of a fork bomb string (:(){ :|:& };:) in templates/hook-example-python.py is a false positive regarding malicious intent. The pattern is used exclusively within a dangerous_patterns list to teach developers how to detect and block such attacks using the SDK's hook system.
  • [SAFE]: All external dependencies and references target official Anthropic repositories, well-known registries (NPM/PyPI), or the author's official GitHub repository, representing standard developer toolkit functionality.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 04:38 PM
Security Audit — agent-trust-hub — claude-agent-sdk