openhands-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to include a user-provided webhook signing secret in the JSON payload ("If they have one → include webhook_secret in the request"), which would require the LLM to output secret values verbatim (in addition to curl examples that show Authorization headers), creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and loads third‑party code and content — e.g., the "Plugin Preset" and "Repository Cloning" sections in SKILL.md allow fetching plugins and cloning arbitrary GitHub/git URLs, and the Event‑Triggered Automations expose webhook payloads (e.g., comment.body from GitHub) that the agent is instructed to read and act on — meaning untrusted, user‑generated content can influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches and loads external Git repositories at runtime via plugin/repo sources (e.g., github:owner/repo or https://github.com/owner/repo) which can provide plugins/skills that control agent prompts and behavior, and the custom-automation setup recommends executing a remote install script (https://astral.sh/uv/install.sh) via curl | sh — both are runtime-fetchable external resources that can execute remote code or directly control agent instructions.