automation
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the
uvpackage manager installer from the well-knownastral.shdomain to handle dependency management within the automation environment. - [EXTERNAL_DOWNLOADS]: Retrieves plugins and extensions from GitHub repositories to provide extended capabilities to the AI agents.
- [REMOTE_CODE_EXECUTION]: Executes user-defined scripts and entrypoints inside isolated sandboxes, which is the core intended functionality for running scheduled automations.
- [COMMAND_EXECUTION]: Uses standard utilities such as
curlandtarto interact with the OpenHands Cloud API and to prepare code packages for deployment. - [INDIRECT_PROMPT_INJECTION]: Processes natural language instructions as prompts for automations which have access to sandbox tools and stored secrets. While this represents a potential attack surface for untrusted data, the risk is inherent to the automation use case and is mitigated by the platform's sandbox isolation and the requirement for authenticated access.
- Ingestion points: The
promptfield in the/preset/promptand/preset/pluginAPI requests (SKILL.md). - Boundary markers: None explicitly defined in the API request structure for separating instructions from data.
- Capability inventory: Automations have full tool access including bash execution, file system manipulation, and network operations (SKILL.md).
- Sanitization: Validation is performed on input lengths and cron expressions, but natural language prompts are passed directly to the agent (references/custom-automation.md).
Audit Metadata