# Boundary & Risk Card Project: OpenHands/OpenHands ## Doramagic Trial Decision Current decision: ready for pre-publication recommendation checks. First use should still start with least privilege, a temporary directory, and rollback. ## What The User Can Do Now - Read the Human Manual first to understand purpose and main workflows. - Copy the Prompt Preview for a pre-install trial. This checks interaction feel, not real execution. - Test the official Quick Start command in an isolated environment before using a primary machine. ## What Not To Do Yet - Do not treat Prompt Preview output as an actual project run. - Do not treat metadata-only validation as sandbox install validation. - Do not write unverified capabilities as supported, tested, or safe to install. - Do not provide production data, private files, real secrets, or primary configuration directories on first use. ## Pre-install Checklist - Host AI match: claude, chatgpt, claude_code - Official install entry state: official entry found - Verification location: temporary directory, temporary host, or container required - Rollback readiness: required - API keys, network access, file writes, or host configuration changes: treat as high risk until confirmed - Install command, actual output, and failure logs: must be recorded ## Current Blockers - No blockers. ## Project-specific Pitfalls - Installation risk requires verification (high): May increase setup, validation, or first-run risk for the user. - Installation risk requires verification (high): May increase setup, validation, or first-run risk for the user. - Security or permission risk requires verification (high): Developers may expose sensitive permissions or credentials: [Bug] Conversation polling fails with ValidationError when secrets contain null values - Security or permission risk requires verification (high): Developers may expose sensitive permissions or credentials: [Feature]: Docker / Docker Compose Instructions - Security or permission risk requires verification (high): May increase setup, validation, or first-run risk for the user. ## Risk And Permission Notes - no_demo: medium ## Evidence Gaps - No structured evidence gaps found.