Skip to content

Comprehensive overview for difficulties with security analyzer #819

New issue
New issue
Closed
#1052
Closed
Comprehensive overview for difficulties with security analyzer#819
#1052
@malhotra5

Description

@malhotra5
malhotra5
opened on Oct 20, 2025

This is a comprehensive issue which describes the current architecture specifically for the security analyzer. It also describes the difficulties client applications of the agent-sdk face when attempting to utilize this feature. The complexity can be broken into three categories as follows

(UNSOLVED): Security analyzer <> security policy relation

The security analyzer and security policy are configured independently yet closely related. The idea being that we introduce new fine-grained client defined policies when using the same analyzer. However, currently it adds extra overhead for clients to maintain a reasonable mapping

  1. Always confirm <> No analyzer required (all actions by default require user confirmation)
  2. Never confirm <> No analyzer required (all actions by default require no user confirmation)
  3. Risk based confirmation <> LLM analyzer (LLM determines high risk actions which require user confirmation)

This is the expected set of mapping between security policies and analyzers at the moment. Unfortunately, clients can choose other combinations such as Never Confirm <> LLM Analyzer. This scenario is especially likely to occur when switching analyzers. In the V1 CLI, the user may enable the security analyzer mid conversation. This requires the client to enable the LLM security analyzer. If the client forgets to update the security policy as well, then confirmation mode will not work as expected.

Related PRs:

(SOLVED): Reconciliation with persistent state

This related to the difficulty of toggling the security analyzer. We used to have logic that is triggered when the agent is initialized. Once initialized, updating the security analyzer would fail to update other parts of the agent (tools, prompts, etc). The workaround was to save everything to persistent state, restart the conversation and re-initialize the agent to trigger the same entry points.

Related issue:

Related PRs:

(UNSOLVED): Immutability and mid conversation switch

The security_risk risk parameter is dynamically added to Tools depending on whether the LLM security analyzer is active. The tool descriptions are passed to the agent's system prompt, which is how the agent is aware of this requirement. The problem is that the agent history/system prompt is immutable. This leads to complications when toggling the security analyzer. We have three scenarios

Scenario 1:

  • Security analyzer exists when starting conversation
  • System prompt includes tools with security_risk
  • Security analyzer is removed mid conversation
  • No risk field is expected, but LLM still believes it needs to pass this field because system prompt was not updated. Passing field will crash the conversation

Scenario 2:

  • Security analyzer was not included at start of conversation
  • System prompt does not include information on passing security_risk fields
  • Security analyzer is added later in the conversation
  • security_risk is a required field, but LLM is unaware of this requirement since system prompt did not include this information

Scenario 3:

  • Similar to 1, but:
  • The security analyzer is removed mid conversation
  • The conversation is fully reloaded
  • ActionEvents are created in history, and they have the old security_risk field
  • Validation fails, and leads to an infinite loop
"arguments": "{\"command\": \"ls -al ~/.openhands\", \"security_risk\": \"LOW\"}

Related PRs:

Related Issues:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions