hitl-protocol
Enables human-in-the-loop decision-making for autonomous agents, ensuring critical choices are made with human oversight.
Install this skill
Security score
The hitl-protocol skill was audited on May 23, 2026 and we found 17 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 209 | const caseId = `review_${crypto.randomBytes(16).toString('hex')}`; |
Template literal with variable interpolation in command context
| 223 | message: `${results.length} jobs found. Please select which ones to apply for.`, |
Template literal with variable interpolation in command context
| 227 | review_url: `https://yourservice.com/review/${caseId}?token=${token}`, |
Template literal with variable interpolation in command context
| 228 | poll_url: `https://api.yourservice.com/v1/reviews/${caseId}/status`, |
Webhook reference - potential data exfiltration
| 3 | description: "HITL Protocol — the open standard for human decisions in autonomous agent workflows. When a website or API needs human input, it returns HTTP 202 with a review URL. Autonomous agents lik |
Webhook reference - potential data exfiltration
| 73 | | **Transport** | Polling (required), SSE (optional), Callback/Webhook (optional) | |
External URL reference
| 31 | **[Interactive Playground](https://rotorstar.github.io/hitl-protocol/playground/index.html)** — try all review types, transports, and inline actions live in your browser. |
External URL reference
| 105 | "review_url": "https://service.example.com/review/abc123?token=K7xR2mN4pQ...", |
External URL reference
| 106 | "poll_url": "https://api.service.example.com/v1/reviews/abc123/status", |
External URL reference
| 227 | review_url: `https://yourservice.com/review/${caseId}?token=${token}`, |
External URL reference
| 228 | poll_url: `https://api.yourservice.com/v1/reviews/${caseId}/status`, |
External URL reference
| 249 | response = httpx.post("https://api.jobboard.com/search", json=query) |
External URL reference
| 325 | review_base_url: "https://yourservice.com/review" |
External URL reference
| 424 | - [RFC 9110](https://www.rfc-editor.org/rfc/rfc9110) — HTTP semantics (`202 Accepted`, conditional requests, retry behavior) |
External URL reference
| 425 | - [RFC 2119](https://www.rfc-editor.org/rfc/rfc2119) + [RFC 8174](https://www.rfc-editor.org/rfc/rfc8174) — normative terms (`MUST`, `SHOULD`, `MAY`) |
External URL reference
| 426 | - [RFC 3339](https://www.rfc-editor.org/rfc/rfc3339) — timestamp formats used by HITL case lifecycle fields |
External URL reference
| 427 | - [RFC 6750](https://www.rfc-editor.org/rfc/rfc6750) — bearer token usage for review and inline submit authorization |