claude-agent-sdk
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation and templates provide instructions for building agents capable of executing arbitrary shell commands via the 'Bash' tool. It includes a specific security template (
templates/hook-example-python.py) that demonstrates how to implement hooks to intercept and block dangerous commands such as fork bombs and unauthorized file modifications. - [COMMAND_EXECUTION]: The templates
templates/custom-tool-python.pyandworkflows/add-custom-tools.mdinclude a 'calculate' tool example that utilizes Python'seval()function to process mathematical expressions from agent input. While the examples attempt to sandbox the execution by restricting__builtins__, this pattern creates a risk surface for dynamic code execution if the input is not strictly validated. - [SAFE]: Static detection of a fork bomb string (
:(){ :|:& };:) intemplates/hook-example-python.pyis a false positive regarding malicious intent. The pattern is used exclusively within adangerous_patternslist to teach developers how to detect and block such attacks using the SDK's hook system. - [SAFE]: All external dependencies and references target official Anthropic repositories, well-known registries (NPM/PyPI), or the author's official GitHub repository, representing standard developer toolkit functionality.
Audit Metadata