100Critical
This agent skill allows arbitrary command execution,
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Agent Development for Claude Code Plugins: Agents are autonomous subprocesses that handle complex, multi-step tasks independently. Understanding agent structure, triggering conditions, and system prompt design enables creating powerful autonomous capabilities.
Actually does
This skill provides comprehensive documentation and best practices for developing 'agents' within Claude Code plugins. It details the structure of agent markdown files, including YAML frontmatter fields (name, description, model, color, tools) and the system prompt body. It offers guidance on defining triggering conditions, choosing models and colors, restricting tool access, writing effective system prompts, validation rules, and methods for creating and testing agents. It does not execute any commands, access external data, or contact URLs.
Skill Info
Nameanthropics/claude-code/agent-development
Registrygithub
Versionf348a16da828
PURLpkg:github/anthropics/claude-code@f348a16da828?skill=agent-development
Stars114,388
Installs455,628
Source
SHA-256ff3324078bbe...
SHA-124c8e83f9ebf...
MD50d4c1931b532...
TLSH1322f9109f96...
ssdeep192:x6+KZfrS...
Size10,430 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Assessments (2)
AI Agent Traps ↗Unrestricted Command Execution via Bash Toolcriticalcommand execution
Agents are explicitly allowed to use the `Bash` tool, granting arbitrary command execution capabilities. This poses a critical risk for reverse shells, data exfiltration, persistence, privilege escalation, and system compromise.
100% confidence
`tools: ["Read", "Write", "Grep", "Bash"]`, `Common tool sets: ... ["Read", "Bash", "Grep"]`
Default "All Tools" Access and File Write Capabilityhighcommand execution
If the `tools` field is omitted, agents default to having access to all tools, including `Bash` and `Write`. The `Write` tool allows file modification, which can be used for persistence, data manipulation, or resource abuse.
100% confidence
`Default: If omitted, agent has access to all tools`, `tools: ["Read", "Write", "Grep"]`
Supply Chain Risk via Agent Auto-Discoverymediumsupply chain
Agents are automatically discovered and loaded from `.md` files within the `agents/` directory. This creates a supply chain risk where an attacker could introduce a malicious agent file, which would then be loaded and potentially executed with elevated privileges.
100% confidence
`All .md files in agents/ are auto-discovered.`
Prompt Injection in Agent Description and System Prompthighprompt injection
The `description` and `system prompt` fields are user-defined and directly control agent triggering and behavior. Malicious input in these critical fields can lead to prompt injection, semantic manipulation, or hidden instructions, potentially bypassing safety mechanisms.
100% confidence
`description (required) ... This is the most critical field.`, `The markdown body becomes the agent's system prompt.`
Meta-Prompt Injection in AI-Assisted Agent Generationmediumprompt injection
The AI-assisted agent generation process takes a user-provided description (`[YOUR DESCRIPTION]`) to create an agent's configuration, including its system prompt. An attacker could craft this input to inject malicious instructions into the generated agent, leading to a meta-prompt injection attack.
100% confidence
`Create an agent configuration based on this request: "[YOUR DESCRIPTION]"`, `Return JSON with: ... "systemPrompt": "You are..."`
Version History (2)
Dependencies (13)
agent-sdk-dev.claude-plugin/marketplace.jsonnot scanned
claude-opus-4-5-migration.claude-plugin/marketplace.jsonnot scanned
code-review.claude-plugin/marketplace.jsonnot scanned
commit-commands.claude-plugin/marketplace.jsonnot scanned
explanatory-output-style.claude-plugin/marketplace.jsonnot scanned
feature-dev.claude-plugin/marketplace.jsonnot scanned
frontend-design.claude-plugin/marketplace.jsonnot scanned
hookify.claude-plugin/marketplace.jsonnot scanned
learning-output-style.claude-plugin/marketplace.jsonnot scanned
plugin-dev.claude-plugin/marketplace.jsonnot scanned
pr-review-toolkit.claude-plugin/marketplace.jsonnot scanned
ralph-wiggum.claude-plugin/marketplace.jsonnot scanned
security-guidance.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/anthropics/claude-code/agent-development)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/anthropics/claude-code/agent-development"><img src="https://mondoo.com/ai-agent-security/api/badge/github/anthropics/claude-code/agent-development.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/anthropics/claude-code/agent-development.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow