openhands-api-v1

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to extract API/session keys (e.g., OPENHANDS_API_KEY and session_api_key) and include them verbatim in request headers (Authorization: Bearer ... and X-Session-API-Key), which requires the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated conversation/events and trajectory data from the OpenHands Cloud app and sandbox agent servers (e.g., GET /api/v1/conversation/{id}/events/search, GET /api/v1/app-conversations/{id}/download and the agent-server /api/conversations/.../events/search endpoints), and SKILL.md plus the client scripts show agents are expected to read/interpret those events (and may act on them, e.g., calling /api/bash/execute_bash_command), so untrusted third-party messages could indirectly inject instructions affecting tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The client uses the runtime API at https://app.all-hands.dev (DEFAULT_BASE_URL) to obtain sandbox agent_server_url and session_api_key and then calls agent-server endpoints such as /api/bash/execute_bash_command, which enables executing arbitrary remote shell commands—so the external URL is used at runtime and enables remote code execution.