agent-sdk-builder
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted user data and external content without adequate isolation.
- Ingestion points: User input via the
{INITIAL_PROMPT}variable and external content from cloned GitHub repositories (OpenHands/software-agent-sdkandOpenHands/docs). - Boundary markers: Absent; there are no delimiters or "ignore embedded instructions" warnings surrounding the interpolated input.
- Capability inventory: The agent can perform network operations (
git clone), file system modifications (writing toplan/,temp/, andoutput/), and render dynamic content via a built-in web server. - Sanitization: No validation or sanitization is specified for the inputs before they are used in plan generation or code implementation.
- [EXTERNAL_DOWNLOADS]: Fetches examples and documentation from the official OpenHands project repositories on GitHub (
github.com/OpenHands/software-agent-sdkandgithub.com/OpenHands/docs). - [COMMAND_EXECUTION]: Instructs the agent to clone repositories using
gitand create a directory structure (temp/,plan/,output/) to store analysis results, plans, and generated code. - [CREDENTIALS_UNSAFE]: Provides guidance for users to configure their
LLM_API_KEYusing an environment variable, which is a standard and recommended practice for secret management.
Audit Metadata