ClawHub

Android Adb

Security checks across malware telemetry and agentic risk

Overview

This ADB skill is mostly coherent, but it needs review because it can control Android devices and includes unsafe shell command construction around log capture.

Install only if you are comfortable giving an agent ADB-level control over connected Android devices. Review every command involving logs, screenshots, recordings, UI dumps, file pulls, app data clearing, uninstall, settings, reboot, wipe, fastboot, or root, and avoid untrusted logcat tags, serials, package names, or paths until the eval-based helper is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Low
Confidence
79% confidence
Finding
The skill directs the agent to open a new system terminal window and run constructed commands there, which expands impact beyond ordinary ADB command execution into host-side process spawning. That increases the attack surface because user-influenced command strings may be executed in a separate interactive shell with fewer conversational safeguards and less visibility.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This reference explicitly includes commands for log capture, screenshots, screen recording, UI hierarchy dumps, and file transfer, all of which can expose sensitive user data such as tokens, messages, on-screen PII, app internals, and files from the device. In an agent skill context, providing these commands without prominent privacy/consent guidance increases the risk that an automation agent will collect or exfiltrate sensitive data too broadly.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal