ClawHub

Awesome GeeLark Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for GeeLark cloud-phone automation, but it grants broad device, credential, and social-account control with some safeguards left too loose.

Install only if you are comfortable giving the skill access to your GeeLark account, cloud phones, ADB sessions, and social-media automation workflows. Keep assets/config.json and logs private, do not give social-media passwords to the agent, require explicit confirmation before enabling ADB or posting/deleting content, and prefer deny or manual review for Android permission prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents and encourages capabilities including file read/write, network access, and shell execution, but does not declare permissions or constrain them through an explicit permission model. That creates a trust gap: a caller may invoke a skill with broad operational power without clear consent boundaries, increasing the risk of unintended command execution, credential access, or filesystem modification.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The deletion guard is not true double confirmation: it relies on a hardcoded static string and still exposes a direct deletion method that any caller can invoke. In an agent skill that manages cloud phones, this makes destructive deletion easy to trigger programmatically, undermining the documented safety boundary and increasing the risk of accidental or unauthorized destructive actions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The reference documents a destructive delete endpoint for cloud phones and only notes a precondition about stopping devices, not the user-impact or irreversibility of deletion. In an agent skill that may be used to automate infrastructure-like operations, omission of explicit destructive-action warnings increases the risk of accidental data or environment loss.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The documentation lists delete operations for groups, tags, and proxies without describing the operational consequences, dependency breakage, or permanence of removal. In an automation context, this can enable accidental destructive changes at scale because users or downstream agents are not clearly warned before issuing deletion requests.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The login-task documentation and examples instruct callers to submit account credentials such as usernames, emails, and passwords to the API without any privacy, storage, handling, or secret-minimization warning. This is dangerous because the skill is specifically designed to automate social-media and service logins, so users may disclose high-value credentials that could be logged, retained, or mishandled by the platform or intermediaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The permission-handling example automatically clicks common 'Allow' buttons without any user confirmation, policy check, or scope restriction. In a cloud-phone automation skill, this can silently grant sensitive Android permissions such as camera, microphone, contacts, storage, or location to arbitrary apps, expanding app capabilities and reducing user control.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide shows plaintext username/password examples for automated login flows without any warning about secret handling, storage, redaction, or least exposure. In a skill focused on cloud-phone and social-media automation, this increases the chance that users will hardcode credentials in prompts, logs, scripts, or task definitions, leading to credential leakage and account compromise.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation includes destructive actions such as deleting, hiding, and canceling tasks/content without warning about irreversibility, confirmation requirements, or misuse risk. In an automation context for social platforms, this can enable accidental or mass disruptive actions affecting user accounts, published content, and operational workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The logger persists full ADB command strings and command output directly to disk without any sanitization. In this skill context, ADB commands may embed device endpoints, auth tokens, shell fragments, file paths, package names, or user data, so log files can become a secondary source of credential leakage or sensitive operational metadata exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically enables ADB on the target cloud phone and then returns the ADB IP, port, and password without any explicit confirmation, authorization check, or safety gate. ADB materially increases remote control capability over the device, so silently changing that access state and exposing credentials can enable unintended administrative access, credential leakage through logs/stdout, or misuse by downstream callers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This helper automatically accepts Android permission prompts by default, which can silently grant camera, microphone, contacts, storage, or accessibility access to apps without explicit user confirmation at the moment of grant. In the context of a cloud-phone automation skill that manages social-media apps at scale, this behavior increases risk because it can normalize over-privileged installs and mask dangerous permission requests from operators.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The ADB password is supplied as a command-line argument to a subprocess, which can expose the secret to local process inspection tools, audit logs, crash reports, or other monitoring on the host. In a skill that manages cloud phones and automation infrastructure, these credentials may grant operational access to devices and enable unauthorized control if leaked.

External Transmission

Medium
Category
Data Exfiltration
Content
print(f"  ⚠️ ADB not enabled (code={adb_item.get('code')}), enabling...", flush=True)
            client_log.info("Enabling ADB")
            
            enable_response = requests.post(
                f"{base_url}/open/v1/adb/setStatus",
                headers=headers,
                json={"ids": [phone_id], "open": True},
Confidence
89% confidence
Finding
requests.post( f"{base_url}/open/v1/adb/setStatus", headers=headers, json=

Unvalidated Output Injection

High
Category
Output Handling
Content
d = u2.connect(f"{adb_info['ip']}:{adb_info['port']}")

# Authenticate (MUST DO IMMEDIATELY)
subprocess.run(['adb', '-s', f"{adb_info['ip']}:{adb_info['port']}",
                'shell', 'glogin', adb_info['pwd']], capture_output=True)

# Get UI hierarchy (Step 1: Identify)
Confidence
91% confidence
Finding
subprocess.run(['adb', '-s', f"{adb_info['ip']}:{adb_info['port']}", 'shell', 'glogin', adb_info['pwd']], capture_output

Excessive Permissions

Low
Category
Privilege Escalation
Content
**As a standalone script:**
```bash
# Allow all permissions
python scripts/handle_android_permissions.py 192.168.1.100:5555

# Deny all permissions
Confidence
86% confidence
Finding
Allow all permissions

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal