PkgRadar

PyPI · pypi.org

openhands-automation

Remote Payload: matched "curl "

Why PkgRadar flagged 1.0.0a9

SeveritySignalEvidence
mediumRemote Payloadmatched "curl " · openhands_automation-1.0.0a9/openhands/automation/presets/plugin/setup.sh
mediumRemote Payloadmatched "curl " · openhands_automation-1.0.0a9/openhands/automation/presets/prompt/setup.sh

Scanned versions

VersionVerdictScoreScanned (UTC)
1.0.0a9Review242026-06-11
1.0.0a8Review242026-06-11
1.0.0a7Review242026-06-10
1.0.0a6Review242026-06-03
1.0.0a5Review242026-05-30

Block this in CI

PkgRadar gates openhands-automation (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi openhands-automation==1.0.0a9
Start free — 25 scans / moView full evidence
openhands-automation — PyPI security scan | PkgRadar