fix(security): extend action type coverage in security check

[Fieldnote-Echo]

Summary of PR

FileWriteAction, BrowseURLAction, and MCPAction are not included in the confirmation_mode security check in agent_controller.py. When confirmation mode is enabled, these action types bypass the SecurityAnalyzer entirely.

Adds the three missing action types to the security check so they are evaluated by the configured SecurityAnalyzer.

Changes

• openhands/controller/agent_controller.py: Import and add FileWriteAction, BrowseURLAction, MCPAction to the confirmation_mode type check

Identified via GHSA-rxg6-2ghm-27gv.

Demo Screenshots/Videos

N/A — backend security logic, no UI impact.

Change Type

• Bug fix
• New feature
• Breaking change
• Refactor
• Other (dependency update, docs, typo fixes, etc.)

Checklist

• I have read and reviewed the code and I understand what the code is doing.
• I have tested the code to the best of my ability and ensured it works as expected.

Fixes

Related to GHSA-rxg6-2ghm-27gv

Release Notes

• Include this change in the Release Notes.

[all-hands-bot]

Good security fix! The PR correctly identifies and addresses the gap in security coverage. However, this type-checking approach is verbose and error-prone.

[all-hands-bot]

🟡 Suggestion: This approach is verbose and error-prone. Consider refactoring to check for the security_risk attribute instead of listing specific types. This would be more maintainable and automatically include any future actions with security_risk attributes without requiring code changes here.

Suggested change

	):
	if self.state.confirmation_mode and hasattr(action, "security_risk"):

[Fieldnote-Echo]

Good suggestion — the hasattr approach is cleaner and would automatically cover future action types. I noticed this file is marked Legacy V0 (scheduled for removal April 2026), so the maintainability benefit may be limited here. Happy to adopt the hasattr pattern if you'd prefer, or keep the explicit approach to minimize diff in legacy code. Your call.

[all-hands-bot]

Additional feedback on testing coverage.

[all-hands-bot]

🟠 Important: FileWriteAction is particularly critical from a security perspective (it can overwrite sensitive files like SSH keys, config files, etc.). Consider adding test cases in tests/unit/security/test_security.py to verify that FileWriteAction, BrowseURLAction, and MCPAction all trigger security analysis when confirmation_mode is enabled. This would prevent regression if this code is refactored in the future.

[Fieldnote-Echo]

Agreed that test coverage here would be valuable. I noticed there aren't currently any confirmation_mode tests in test_security.py, and this code path is marked Legacy V0 (removal April 2026). Would you like me to add tests covering all action types in the confirmation_mode check, or would you prefer to keep the scope minimal given the V0 timeline? Happy to go either direction.

[ImL1s]

LGTM! This is a critical security fix for GHSA-rx6-2ghm-27gv. The three missing action types (FileWriteAction, BrowseURLAction, MCPAction) are now properly included in the confirmation_mode security check, ensuring they go through the SecurityAnalyzer like other actions.

The change is minimal and focused, exactly what a security fix should be. +1 for merge.

[enyst]

Thank you for looking into this! To be fair, while we really don't intend to change behavior of these files since they are legacy, this looks minimal and safe.