ClawHub

Android Stack Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Android debugging helper that uses ADB to inspect page and activity stacks, with privacy cautions users should understand before using it.

Install only if you intend to use ADB on devices you own or are authorized to debug. Treat dumpsys, getprop, and logcat output as potentially sensitive, redact package names or logs before sharing, and run real-time monitoring only when you explicitly need it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation keywords include very broad phrases such as "adb命令" and "当前页面", which can overlap with normal user conversation and trigger the skill unintentionally. In the context of a skill that guides users to inspect Android devices via ADB, accidental activation increases the chance of unnecessary exposure of device state or logs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide recommends ADB usage and debugging workflows without warning that commands like dumpsys, getprop, and logcat can expose sensitive device information, application state, identifiers, and potentially personal data. Users may follow these instructions and share or inspect outputs without understanding the privacy implications.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The documented activation phrases include very broad terms such as "adb 命令", which can cause the skill to trigger during general Android debugging conversations outside its intended scope. In a tool that can inspect connected-device state via ADB, overbroad activation increases the chance of unintended execution and unexpected access to device activity/task-stack information.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The README describes executing ADB commands and real-time monitoring but does not clearly disclose that the skill reads UI/activity/task-stack data from a connected Android device. This creates a transparency and consent problem: users may invoke the skill without realizing it inspects potentially sensitive app-navigation context on the device.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs users to run ADB `dumpsys` commands that can reveal sensitive runtime information such as current foreground apps, activity history, recent tasks, processes, and potentially app/package details. While these commands are legitimate for Android debugging, the document lacks privacy warnings, scope limitations, or guidance to avoid collecting data from personal or production devices, increasing the risk of unnecessary exposure of user or organizational information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal