cli-release
Fail
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions to verify the installation process by executing the vendor's official installer script from
https://install.openhands.dev/install.shvia the shell. - [COMMAND_EXECUTION]: The instructions automate administrative repository tasks such as merging pull requests, pushing git tags, and triggering GitHub Actions workflows. These operations use the GitHub CLI and API and rely on environment-provided credentials.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its handling of untrusted metadata from GitHub.
- Ingestion points: Pull request metadata and check statuses are read into the agent context via
gh pr listandgh pr checksinSKILL.md. - Boundary markers: The instructions do not define clear boundaries or 'ignore' rules for the content fetched from the repository.
- Capability inventory: The agent can perform high-impact actions like merging pull requests and triggering builds, as seen in
SKILL.md. - Sanitization: No mechanisms are implemented to sanitize or validate the data retrieved from the GitHub API.
- Mitigation: Security is maintained through numerous explicit human approval steps ('🚨 STOP') before any sensitive or irreversible repository changes are executed.
Recommendations
- HIGH: Downloads and executes remote code from: https://install.openhands.dev/install.sh - DO NOT USE without thorough review
Audit Metadata