agent-sdk-builder

Pass

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted user data and external content without adequate isolation.
  • Ingestion points: User input via the {INITIAL_PROMPT} variable and external content from cloned GitHub repositories (OpenHands/software-agent-sdk and OpenHands/docs).
  • Boundary markers: Absent; there are no delimiters or "ignore embedded instructions" warnings surrounding the interpolated input.
  • Capability inventory: The agent can perform network operations (git clone), file system modifications (writing to plan/, temp/, and output/), and render dynamic content via a built-in web server.
  • Sanitization: No validation or sanitization is specified for the inputs before they are used in plan generation or code implementation.
  • [EXTERNAL_DOWNLOADS]: Fetches examples and documentation from the official OpenHands project repositories on GitHub (github.com/OpenHands/software-agent-sdk and github.com/OpenHands/docs).
  • [COMMAND_EXECUTION]: Instructs the agent to clone repositories using git and create a directory structure (temp/, plan/, output/) to store analysis results, plans, and generated code.
  • [CREDENTIALS_UNSAFE]: Provides guidance for users to configure their LLM_API_KEY using an environment variable, which is a standard and recommended practice for secret management.
Audit Metadata
Risk Level
SAFE
Analyzed
May 14, 2026, 12:17 AM
Security Audit — agent-trust-hub — agent-sdk-builder