Android Remote Control
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could see the phone screen and perform taps that trigger actions in apps, such as sending messages or confirming prompts, if the user directs or allows it.
The script exposes raw Android device operations: capture the screen, tap arbitrary coordinates, and start an arbitrary package. This is consistent with the remote-control purpose, but mistaken or over-broad use could act inside any open phone app.
d.screenshot(output_path) ... d.click(x, y) ... d.app_start(pkg)
Use only with a trusted device that you can observe. Require explicit confirmation before taps that submit forms, send messages, make purchases, delete data, change settings, or install/uninstall apps.
If USB debugging is authorized, actions run as the device user context and can interact with apps that are already logged in on the phone.
The skill connects through ADB/uiautomator2, which uses the Android debugging trust relationship. That gives delegated device-level control to whichever connected device uiautomator2 selects.
adb_path = r"C:\Program Files (x86)\Camo Studio\Adb" ... d = u2.connect()
Only authorize ADB for trusted computers and sessions, disconnect the device or revoke USB debugging authorization after use, and avoid using this on a primary phone with sensitive apps open.
The skill may fail unless dependencies already exist, or users may install dependencies manually without the registry documenting exact versions or sources.
The script relies on the uiautomator2 Python package and a local ADB installation, while the provided install metadata declares no install spec or required binaries. This leaves dependency setup and provenance to the user.
import uiautomator2 as u2 ... adb_path = r"C:\Program Files (x86)\Camo Studio\Adb"
Install uiautomator2 and ADB only from trusted sources, prefer pinned versions, and verify that the ADB path points to the intended binary.
Phone screenshots can contain private messages, notifications, account details, or one-time codes, and may be exposed to the model/provider used for visual analysis.
The documented workflow saves a phone screenshot and references using a vision model such as Qwen-VL to locate coordinates. If that model is remote, screen contents may be shared outside the local device.
python scripts/remote_control.py snap workspace/last_snap.jpg ... Qwen-VL
Avoid capturing sensitive screens, close private apps/notifications before use, and understand where any vision model processing occurs before sending screenshots for analysis.