agent-sdk-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill instructs the agent to clone repositories from 'github.com/OpenHands'. Since this organization is not on the trusted list, the content is considered untrusted. Malicious scripts or instructions within these repositories could compromise the environment.
- PROMPT_INJECTION (HIGH): The skill is vulnerable to indirect prompt injection via the {INITIAL_PROMPT} variable. [Ingestion points]: {INITIAL_PROMPT} and remote files like llms.txt. [Boundary markers]: None present to separate user input from system instructions. [Capability inventory]: Subprocess execution (git), file writing to workspace, and local web server management. [Sanitization]: None mentioned; the agent executes logic based on untrusted requirements.
- COMMAND_EXECUTION (MEDIUM): The use of git clone and a built-in web server provides a platform for executing arbitrary logic if the agent is influenced by a malicious prompt.
- CREDENTIALS_UNSAFE (LOW): The skill references LLM_API_KEY. While no keys are hardcoded, the lack of input sanitization creates a risk that an attacker could use prompt injection to exfiltrate these environment variables.
Recommendations
- AI detected serious security threats
Audit Metadata