Android Remote Control

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised Android remote-control actions, but users should treat it as sensitive because it can view and control a connected phone.

Install only if you intentionally want Codex to control a trusted Android device through ADB. Keep the phone visible, avoid opening sensitive screens before screenshots, review taps that could send messages, approve purchases, or change settings, and install ADB/uiautomator2 only from trusted sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script captures a full device screenshot and writes it to disk without any confirmation, notice, access control, or restriction on where the image is stored. In the context of a remote-control skill for Android devices, screenshots can expose highly sensitive data such as messages, authentication codes, personal photos, and financial information, so silent capture materially increases privacy and data-exposure risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code starts any package name provided on the command line with no validation, approval step, or audit trail. In a remote Android control tool, arbitrary app launching can be used to open sensitive apps, trigger actions in privileged contexts, or facilitate further unauthorized interaction with the device.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal