openhands-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.85). The skill explicitly instructs the agent to extract session_api_key (and use Authorization Bearer keys) from conversation JSON and include them in request headers (e.g., X-Session-API-Key / Authorization: Bearer), which requires the LLM to handle and embed secret values verbatim in generated requests/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated conversation content from the OpenHands Cloud app/agent servers (e.g., GET /api/v1/conversation/{id}/events/search, GET /api/v1/app-conversations/{id}/download and the agent-server /api/conversations/{id}/events/search endpoints), and the documentation and client code show the agent is expected to read and act on those event/trajectory payloads which could contain untrusted instructions that influence subsequent tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly calls a runtime-discovered sandbox API endpoint ({agent_server_url}/api/bash/execute_bash_command) to execute arbitrary bash commands on the remote agent server, so this is a runtime external URL that can execute code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly exposes agent-server endpoints for executing arbitrary bash commands and uploading/downloading files by absolute path (i.e., write access to the filesystem), which can modify the host/sandbox state and thus risks compromising the machine even if it doesn't explicitly ask for sudo or user creation.