Do not add security_risk unless security analyzer is enabled

[xingyaoww]

Fix #300

• We don't add security_risk when risk analyzer is not enabled
• We only add security_risk if the tool is not read-only

When security analyzer is enabled

Built in tools

{
    "id": "b4b7ca00-04ba-44b6-b2fa-34c058a911ce",
    "timestamp": "2025-09-18T14:50:09.541132",
    "source": "agent",
    "thought": [
        {
            "cache_prompt": false,
            "type": "text",
            "text": "I'll create the temporary file 'security_test.txt' as requested. Since you've explicitly marked this as a HIGH RISK ACTION, I'll use the appropriate security risk level."
        }
    ],
    "action": {
        "command": "create",
        "path": "/Users/xingyaow/Projects/All-Hands-AI/openhands-v1-dev/agent-sdk.worktree/worktree2/security_test.txt",
        "file_text": "This is a temporary test file created for security testing purposes.\nCreated at: $(date)",
        "kind": "openhands.tools.str_replace_editor.definition.StrReplaceEditorAction",
        "_du_spec": {
            "title": "openhands.tools.str_replace_editor.definition.StrReplaceEditorAction",
            "base": "openhands.sdk.tool.schema.Schema",
            "fields": {
                "command": {
                    "type": "Literal[view, create, str_replace, insert, undo_edit]",
                    "required": true
                },
                "path": {
                    "type": "str",
                    "required": true
                },
                "file_text": {
                    "type": "UnionType[str, NoneType]",
                    "required": false
                },
                "old_str": {
                    "type": "UnionType[str, NoneType]",
                    "required": false
                },
                "new_str": {
                    "type": "UnionType[str, NoneType]",
                    "required": false
                },
                "insert_line": {
                    "type": "UnionType[int, NoneType]",
                    "required": false
                },
                "view_range": {
                    "type": "UnionType[list[int], NoneType]",
                    "required": false
                } 
# <-- ACTION DOES NOT CONTAIN security_risk field
            }
        }
    },
    "tool_name": "str_replace_editor",
    "tool_call_id": "toolu_01Frfz1j7Av6g3FkFpg5R8hd",
    "tool_call": {
        "index": 1,
        "function": {
            "arguments": "{\"command\": \"create\", \"path\": \"/Users/xingyaow/Projects/All-Hands-AI/openhands-v1-dev/agent-sdk.worktree/worktree2/security_test.txt\", \"file_text\": \"This is a temporary test file created for security testing purposes.\\nCreated at: $(date)\", \"security_risk\": \"HIGH\"}",
# <-- Tool Call does CONTAIN security_risk field
            "name": "str_replace_editor"
        },
        "id": "toolu_01Frfz1j7Av6g3FkFpg5R8hd",
        "type": "function"
    },
    "llm_response_id": "chatcmpl-b23576b4-c876-4d60-a2c4-c8eca4a5a583",
    "metrics": {
        "model_name": "litellm_proxy/anthropic/claude-sonnet-4-20250514",
        "accumulated_cost": 0.0555801,
        "accumulated_token_usage": {
            "model": "litellm_proxy/anthropic/claude-sonnet-4-20250514",
            "prompt_tokens": 24474,
            "completion_tokens": 790,
            "cache_read_tokens": 24447,
            "cache_write_tokens": 9684,
            "reasoning_tokens": 0,
            "context_window": 0,
            "per_turn_token": 9624,
            "response_id": ""
        }
    },
    "security_risk": "HIGH",
# <-- security_risk field is moved to `ActionEvent` level
    "kind": "openhands.sdk.event.llm_convertible.ActionEvent"
}

Works for MCP too

{
    "id": "c5a162f4-e11e-44c1-8157-2c66bfeb3baf",
    "timestamp": "2025-09-18T14:58:04.167682",
    "source": "agent",
    "thought": [],
    "action": {
        "url": "https://github.com/All-Hands-AI/agent-sdk",
        "start_index": 10000,
        "kind": "openhands.sdk.tool.schema.FetchAction",
        "_du_spec": {
            "title": "openhands.sdk.tool.schema.FetchAction",
            "base": "openhands.sdk.tool.schema.Schema",
            "fields": {
                "url": {
                    "type": "str",
                    "required": true
                },
                "max_length": {
                    "type": "UnionType[int, NoneType]",
                    "required": false
                },
                "start_index": {
                    "type": "UnionType[int, NoneType]",
                    "required": false
                },
                "raw": {
                    "type": "UnionType[bool, NoneType]",
                    "required": false
                }
            }
        }
    },
    "tool_name": "fetch",
    "tool_call_id": "toolu_01K8Pgj8mjbyFig6NpTGeG6X",
    "tool_call": {
        "index": 0,
        "function": {
            "arguments": "{\"url\": \"https://github.com/All-Hands-AI/agent-sdk\", \"start_index\": 10000, \"security_risk\": \"LOW\"}",
# <--- security_risk works too
            "name": "fetch"
        },
        "id": "toolu_01K8Pgj8mjbyFig6NpTGeG6X",
        "type": "function"
    },
    "llm_response_id": "chatcmpl-dd32189d-3bcf-41f5-8da2-30dbe21b0f07",
    "metrics": {
        "model_name": "litellm_proxy/anthropic/claude-sonnet-4-20250514",
        "accumulated_cost": 0.022709100000000003,
        "accumulated_token_usage": {
            "model": "litellm_proxy/anthropic/claude-sonnet-4-20250514",
            "prompt_tokens": 16937,
            "completion_tokens": 321,
            "cache_read_tokens": 16922,
            "cache_write_tokens": 3406,
            "reasoning_tokens": 0,
            "context_window": 0,
            "per_turn_token": 6913,
            "response_id": ""
        }
    },
    "security_risk": "LOW",
# <--- security_risk works too
    "kind": "openhands.sdk.event.llm_convertible.ActionEvent"
}

When security risk is disabled

{
    "id": "64f4a1b4-75a1-4e91-afec-9e8e27e6ba49",
    "timestamp": "2025-09-18T14:50:38.849745",
    "source": "agent",
    "thought": [
        {
            "cache_prompt": false,
            "type": "text",
            "text": "I'll read the OpenHands GitHub repository and then create a FACTS.txt file with 3 facts about the project."
        }
    ],
    "action": {
        "url": "https://github.com/All-Hands-AI/OpenHands",
        "kind": "openhands.sdk.tool.schema.FetchAction",
        "_du_spec": {
            "title": "openhands.sdk.tool.schema.FetchAction",
            "base": "openhands.sdk.tool.schema.Schema",
            "fields": {
                "url": {
                    "type": "str",
                    "required": true
                },
                "max_length": {
                    "type": "UnionType[int, NoneType]",
                    "required": false
                },
                "start_index": {
                    "type": "UnionType[int, NoneType]",
                    "required": false
                },
                "raw": {
                    "type": "UnionType[bool, NoneType]",
                    "required": false
                }
            }
        }
    },
    "tool_name": "fetch",
    "tool_call_id": "toolu_01CXmnaRcpVwvDnv7ZXGEB9T",
    "tool_call": {
        "index": 1,
        "function": {
            "arguments": "{\"url\": \"https://github.com/All-Hands-AI/OpenHands\"}",
# <-- NO security risk in arguments
            "name": "fetch"
        },
        "id": "toolu_01CXmnaRcpVwvDnv7ZXGEB9T",
        "type": "function"
    },
    "llm_response_id": "chatcmpl-57a3492a-f26e-4baa-b05a-1affc1f1b72d",
    "metrics": {
        "model_name": "litellm_proxy/anthropic/claude-sonnet-4-20250514",
        "accumulated_cost": 0.019965750000000004,
        "accumulated_token_usage": {
            "model": "litellm_proxy/anthropic/claude-sonnet-4-20250514",
            "prompt_tokens": 4,
            "completion_tokens": 94,
            "cache_read_tokens": 0,
            "cache_write_tokens": 4945,
            "reasoning_tokens": 0,
            "context_window": 0,
            "per_turn_token": 98,
            "response_id": ""
        }
    },
    "security_risk": "UNKNOWN",
# <-- unknown security risk
    "kind": "openhands.sdk.event.llm_convertible.ActionEvent"
}

[xingyaoww]

@OpenHands please fix the failing actions on PR #341 at branch xw/dynamic-security-analyzer

Review diff against main and understand the implementation. Then, DO NOT CHANGE IMPLEMENTATION AND JUST FIX THE TESTS!

You should also add test for "We only add security_risk if the tool is not read-only"

[openhands-ai]

I'm on it! xingyaoww can track my progress at all-hands.dev

[openhands-ai]

I have successfully fixed all failing tests for PR #341 on the xw/dynamic-security-analyzer branch. Here's what was accomplished:

✅ Request Completion Checklist:

1. Fixed failing GitHub Actions - All previously failing tests now pass
2. Reviewed diff against main - Understood the dynamic security analyzer implementation
3. Did NOT change implementation - Only fixed tests, preserved all existing functionality
4. Added requested test - Comprehensive test for "We only add security_risk if the tool is not read-only"

🔧 Test Fixes Applied:

1. str_replace_editor tool tests - Removed security_risk parameters from StrReplaceEditorAction constructors in tests since the field was moved from action level to event level

2. MCP tool tests - Updated schema expectations to reflect that security_risk was removed from ActionBase and is no longer part of the input schema

3. Config tests - Fixed SESSION_API_KEY environment variable conflicts by properly patching the environment and clearing the config cache where needed

4. Cross-integration test - Removed security_risk from mock LLM response in hello_world test since no security analyzer is configured (matching the PR's behavior)

5. Added comprehensive security_risk test - New test verifies that:

   • Read-only tools (readOnlyHint=True) do NOT get security_risk parameter
   • Writable tools (readOnlyHint=False or None) DO get security_risk parameter
   • Behavior is controlled by the add_security_risk_prediction flag

📊 Results:

• All targeted tests now pass ✅
• Pre-commit hooks pass ✅
• No implementation changes made ✅
• Changes pushed to PR branch ✅

The dynamic security analyzer implementation is now properly tested and all GitHub Actions should pass on PR #341.

_{View full conversation}

[github-actions]

Coverage Report

File	Stmts	Miss	Cover	Missing
openhands
__init__.py	1	0	100%
openhands/agent_server
__init__.py	16	16	0%	1, 3–5, 9–12, 20–22, 25, 27–29, 31
__main__.py	15	15	0%	1, 3, 6–8, 11, 14, 22, 24–27, 29, 38–39
api.py	20	20	0%	1–2, 4, 6, 9, 12, 15, 18, 24–28, 31–32, 36–37, 40–42
config.py	42	42	0%	1–4, 6, 10–11, 14, 17, 21, 27–28, 31, 34, 38, 41, 47, 54, 61, 67, 73, 77, 79–80, 82, 85–87, 89–90, 93–96, 98, 101, 104, 107, 109–110, 113–114
conversation_router.py	50	50	0%	3–4, 6, 8, 11, 18, 21–22, 28–29, 48–50, 55–56, 63–64, 67–68, 70–73, 76–77, 82–84, 90–91, 95–96, 99, 102–106, 109, 112–116, 119–124
conversation_service.py	195	195	0%	1–6, 8, 10–12, 19–22, 25, 28–29, 35–39, 41–48, 50, 57–58, 61–63, 69–70, 72, 75–82, 85–86, 89–93, 96–98, 100–103, 105, 107, 112–113, 115–117, 120–121, 123, 125, 127, 132–136, 140, 144–148, 151–152, 159–160, 173–177, 180, 182–183, 185–191, 193–199, 201–210, 212–215, 217–225, 230–231, 234–236, 238–242, 244, 251–253, 261–263, 265–266, 269–274, 276, 278, 280–281, 283, 285–286, 288, 290–291, 293–294, 297–299, 302, 308–311, 318–319, 323–327, 329, 334, 337, 340, 342–343, 345, 349–351
event_router.py	86	86	0%	5–8, 10, 18, 20, 23, 31–32, 35–37, 42–43, 65–70, 73–74, 84–88, 91–92, 94–100, 103–104, 109–113, 119–120, 122–127, 130, 133, 137–141, 147–148, 152–156, 159–168, 170, 173–175, 177–182
event_service.py	126	126	0%	1–4, 6, 13–15, 21–22, 25–26, 32–36, 38–40, 42–45, 47–50, 53, 56, 58, 65–66, 69–71, 73, 78–79, 82–85, 88–89, 92–96, 99–101, 103–106, 108–109, 111–113, 115, 120–121, 123–125, 127, 132–133, 135, 137, 139–143, 145–152, 154–155, 157–158, 160, 162–166, 182–183, 185, 187–190, 192–194, 196, 198–201, 203–207, 209–212, 214–216, 218–220
middleware.py	26	26	0%	1, 3–6, 9, 14–15, 23–26, 29–30, 33–34, 37, 46–48, 50, 53–57
models.py	50	50	0%	1–4, 6, 8, 12, 19–20, 27, 30, 33–36, 39, 42–43, 46, 52–54, 59–61, 64, 72, 77, 80, 87, 90–93, 96, 99, 102–104, 107–109, 112, 115–116, 119–120, 123–125
pub_sub.py	35	35	0%	1–4, 6–7, 10, 13–15, 18, 22–23, 30, 32, 39–42, 44, 51–54, 56, 59, 61, 68–72, 74–75, 78
utils.py	28	28	0%	1–4, 6, 9, 11, 14–18, 21, 25–30, 33–36, 39–41, 44, 47
openhands/sdk
__init__.py	16	2	87%	27–28
logger.py	73	21	71%	33, 57, 64–67, 69–71, 124, 129–131, 134–135, 141–143, 150, 155–156
openhands/sdk/agent
__init__.py	4	0	100%
agent.py	192	47	75%	64, 71, 78, 82, 99, 113, 120–121, 126–127, 198–199, 201–203, 205–207, 251, 265, 288, 327, 332–334, 337–338, 341, 371–373, 377–379, 389–390, 394–397, 404–405, 409, 413–414, 445, 452
base.py	94	7	92%	113, 127, 135–137, 153, 173
spec.py	15	0	100%
openhands/sdk/context
__init__.py	4	0	100%
agent_context.py	57	2	96%	146, 152
manager.py	3	3	0%	1, 4–5
view.py	97	1	98%	90
openhands/sdk/context/condenser
__init__.py	5	0	100%
base.py	21	0	100%
llm_summarizing_condenser.py	39	3	92%	44–46
no_op_condenser.py	6	0	100%
pipeline_condenser.py	13	6	53%	45–50
openhands/sdk/context/microagents
__init__.py	4	0	100%
exceptions.py	5	0	100%
microagent.py	143	25	82%	130, 133–136, 218–221, 229, 251–252, 257–258, 260, 264, 271–273, 281–283, 337, 339–340
types.py	21	0	100%
openhands/sdk/context/prompts
__init__.py	2	0	100%
prompt.py	30	5	83%	12, 15, 24, 44–45
openhands/sdk/conversation
__init__.py	7	0	100%
conversation.py	115	11	90%	115, 123–125, 129–130, 193, 275–276, 284–285
event_store.py	101	8	92%	50–51, 60, 67, 72–73, 129, 142
persistence_const.py	5	0	100%
secrets_manager.py	41	1	97%	107
serialization_diff.py	0	0	100%
state.py	101	5	95%	141, 164, 200–202
types.py	6	0	100%
visualizer.py	94	6	93%	90, 147, 169, 186, 218, 220
openhands/sdk/event
__init__.py	7	0	100%
base.py	74	8	89%	55, 75, 87–88, 94, 97–98, 100
condenser.py	28	7	75%	37, 39, 41–45
llm_convertible.py	181	16	91%	54, 64–65, 70–71, 251, 285–286, 291, 299, 340–341, 346, 379–380, 385
metric_events.py	13	0	100%
types.py	7	0	100%
user_action.py	12	1	91%	21
utils.py	12	0	100%
openhands/sdk/io
__init__.py	4	0	100%
base.py	14	4	71%	7, 11, 15, 19
local.py	56	16	71%	43–44, 58, 66–78
memory.py	43	4	90%	16, 20, 53–54
openhands/sdk/llm
__init__.py	8	0	100%
exceptions.py	36	0	100%
llm.py	399	97	75%	229, 234, 253–254, 286, 349, 355–356, 451, 464–465, 470–471, 473–474, 477–479, 484–486, 490–492, 513–516, 523, 541–542, 570, 576–577, 623, 672, 689–690, 699, 710, 731, 733–738, 740–757, 760–764, 766–767, 773–782, 786–797, 810, 824, 829
llm_registry.py	38	0	100%
message.py	109	4	96%	96, 99, 222–223
metadata.py	15	0	100%
openhands/sdk/llm/mixins
fn_call_converter.py	343	94	72%	74, 343, 345, 349, 367, 369, 375, 381, 383, 422, 424, 426, 428, 433–434, 481–482, 518–520, 522, 524, 545–547, 553, 575, 601–602, 610–613, 615, 617, 639, 648, 656, 701–704, 708–711, 723, 727, 738, 748, 797–798, 800, 829, 833, 859, 867, 870–871, 876, 905–908, 912–913, 918–919, 924, 973–974, 980, 994, 1006, 1008–1009, 1012–1014, 1016–1017, 1023–1025, 1027–1028, 1030, 1032, 1036, 1038, 1043, 1045–1046, 1049
non_native_fc.py	39	3	92%	64, 75, 91
openhands/sdk/llm/utils
metrics.py	111	3	97%	17, 117, 311
model_features.py	40	0	100%
retry_mixin.py	50	11	78%	47, 50, 64, 86, 90, 94–95, 105, 110–111, 116
telemetry.py	136	15	88%	71, 94, 99–100, 112–113, 120, 134, 199, 216, 222, 229, 232, 234, 241
unverified_models.py	69	4	94%	45–46, 51, 73
verified_models.py	5	0	100%
openhands/sdk/mcp
__init__.py	5	0	100%
client.py	26	6	76%	48–49, 62–63, 72–73
definition.py	48	16	66%	55, 75–80, 82–90
tool.py	40	13	67%	36–39, 43, 46, 49–52, 101–102, 107
utils.py	30	4	86%	23–24, 27, 30
openhands/sdk/preset
__init__.py	0	0	100%
default.py	20	12	40%	13, 15, 22, 28–29, 31–33, 35–36, 43, 45
openhands/sdk/security
__init__.py	2	0	100%
analyzer.py	36	8	77%	41, 74, 76–77, 79–80, 82, 85
llm_analyzer.py	9	0	100%
risk.py	12	2	83%	21, 33
openhands/sdk/tool
__init__.py	5	0	100%
schema.py	115	11	90%	23–25, 27, 36, 216–219, 239, 254
spec.py	15	0	100%
tool.py	92	10	89%	66, 107, 167, 170–176
openhands/sdk/tool/builtins
__init__.py	4	0	100%
finish.py	26	1	96%	33
think.py	32	13	59%	24, 27–28, 31, 33–37, 39, 51, 57, 74
openhands/sdk/utils
__init__.py	3	0	100%
async_executor.py	52	7	86%	39, 55–56, 84, 88, 102–103
async_utils.py	12	0	100%
discriminated_union.py	168	22	86%	119–127, 141–142, 236, 329, 356, 399–401, 418, 451, 464, 471, 474
json.py	28	28	0%	1–3, 5, 7–8, 11, 14–21, 25, 28, 30–31, 34, 37–38, 40, 43, 45–48
protocol.py	3	0	100%
pydantic_diff.py	57	15	73%	36, 44, 50–58, 60–62, 65
truncate.py	10	0	100%
visualize.py	17	4	76%	14–16, 22
openhands/tools
__init__.py	17	2	88%	29–30
openhands/tools/browser_use
__init__.py	3	0	100%
definition.py	109	17	84%	28–29, 31, 35, 37–38, 40, 88, 145, 199, 250, 301, 352, 397, 442, 492, 541
impl.py	113	73	35%	38, 44, 58–59, 61–70, 73–82, 84–85, 87–91, 95, 97–98, 103–104, 108–109, 114–115, 119–120, 124–125, 129, 131–132, 134–137, 140–141, 144, 146, 148, 153–154, 158–159, 163–164, 169–170, 177–179, 188–189, 196–197, 206–207
server.py	45	42	6%	11, 13–14, 16–17, 20–21, 24–25, 28, 30–32, 34–35, 38–39, 41, 44, 47–48, 51, 54–55, 57–61, 64–66, 68, 73–78, 80, 87, 89
openhands/tools/execute_bash
__init__.py	4	0	100%
constants.py	9	0	100%
definition.py	95	46	51%	38, 41, 44–45, 47, 50–52, 54–56, 58, 106, 109–111, 114, 116–118, 120, 124–125, 128–130, 132–133, 136–139, 143–145, 150, 154–156, 159–161, 165–166, 168, 248
impl.py	40	3	92%	55, 58, 62
metadata.py	50	3	94%	95–96, 100
openhands/tools/execute_bash/terminal
__init__.py	6	0	100%
factory.py	49	11	77%	24–25, 30, 32, 35, 37–38, 44–46, 97
interface.py	69	15	78%	43, 52, 62, 71, 76, 85, 94, 99, 145, 157, 162, 171, 180, 191, 193
subprocess_terminal.py	236	59	75%	68, 99–100, 126, 132, 139, 146–147, 157–158, 164–165, 179, 181, 185–187, 193, 209, 218–222, 257–259, 264, 276, 290, 314, 316, 325, 346, 362, 367, 373–375, 383–384, 388–389, 391–397, 401–402, 405–406, 408–409, 411–413
terminal_session.py	178	8	95%	92, 96–98, 235, 281, 297, 317
tmux_terminal.py	80	21	73%	36, 45, 108, 119, 133, 145–152, 160–161, 163–164, 166, 168–170
openhands/tools/execute_bash/utils
command.py	81	4	95%	48, 64–66
openhands/tools/str_replace_editor
__init__.py	3	0	100%
definition.py	62	9	85%	84, 96, 116, 119, 122, 129, 131, 133, 135
editor.py	228	11	95%	131, 264, 340, 350, 401–402, 641, 648–649, 663, 668
exceptions.py	22	0	100%
impl.py	26	2	92%	31–32
openhands/tools/str_replace_editor/utils
__init__.py	0	0	100%
config.py	2	0	100%
constants.py	5	0	100%
diff.py	64	1	98%	115
encoding.py	54	1	98%	81
file_cache.py	95	9	90%	44–46, 49–50, 54, 59, 151, 154
history.py	66	1	98%	79
shell.py	23	0	100%
openhands/tools/task_tracker
__init__.py	2	2	0%	1, 10
definition.py	132	132	0%	1–4, 6–7, 9–11, 20, 23–26, 33, 36, 40, 45–46, 48, 51–53, 55–56, 59–60, 62, 65, 68, 71–72, 76–78, 80–81, 83, 85, 87–88, 91, 94–96, 98–99, 102–108, 110–112, 115, 117–120, 122, 125, 128–129, 131–132, 134–135, 137, 140, 143, 150–151, 154–155, 157, 159, 161, 163–165, 171, 173–174, 179–180, 184, 191, 193–194, 196–198, 202–203, 205–208, 210, 212, 214–215, 217–219, 221–225, 229, 231, 233–234, 236–237, 239, 241–245, 249, 382, 396, 399–400, 407, 410
openhands/tools/utils
__init__.py	0	0	100%
TOTAL	6688	1773	73%

[openhands-ai]

Looks like there are a few issues preventing this PR from being merged!

• GitHub Actions are failing:
  • Run tests

If you'd like me to help, just leave a comment, like

@OpenHands please fix the failing actions on PR #341 at branch `xw/dynamic-security-analyzer`

Feel free to include any additional details that might help me get this PR into a better state.

_{^{You can manage your notification settings}}

[csmith49]

Lot more files changed than I might have expected, but this LGTM

[github-actions]

Agent Server image for this PR

Pull (multi-arch manifest):

docker pull ghcr.io/all-hands-ai/agent-server:ef1f21f

Run:

docker run -it --rm \
  -p 8000:8000 \
  --name agent-server-ef1f21f \
  ghcr.io/all-hands-ai/agent-server:ef1f21f

This tag is a multi-arch manifest (amd64/arm64). Your client pulls the right arch automatically.