Back to skill

Security audit

tencent cvp skill

Security checks across malware telemetry and agentic risk

Overview

This skill clearly does Android device automation, but it gives broad ADB control and includes an unsafe APK download fallback without enough safeguards.

Install only if you intentionally want an agent to control an Android device via ADB. Keep sensitive apps and screens out of view, require explicit approval before taps in accounts, payments, messaging, or installs, and avoid APK downloads from web search unless you can verify the source and package integrity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises itself for essentially any task involving operating an Android device, which creates an unusually broad trigger surface for a high-privilege capability set (screen inspection, input injection, app launching, and installation). In agent environments, this can cause over-selection and unintended invocation for ordinary Android-related requests, increasing the chance of unsafe device actions being performed without sufficiently narrow user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides operational instructions for installing apps and even treats web search for APK downloads as a fallback, but does not include integrity, provenance, or user-consent safeguards. In this context, the skill has direct ADB-driven ability to change device state, so missing warnings and restrictions can facilitate installation of untrusted software, sideloaded malware, or trojanized APKs onto the Android device.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.