v0.1.0

Droidrun Agent

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:30 AM.

Analysis

This skill is not clearly malicious, but it gives an agent broad Android device-control powers, including screenshots, text input, app launching/stopping, and APK installation, so it should be reviewed carefully before use.

GuidanceInstall only if you intend to let an agent control an Android device through DroidRun Portal. Prefer a test device, protect the Portal token, verify the actual package source, and require manual confirmation before installing APKs, entering sensitive text, or taking actions in apps tied to personal or work accounts.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Supports all action methods ... (`tap`, `swipe`, `global_action`, `start_app`, `stop_app`, `input_text`, `clear_input`, `press_key`, `set_overlay_offset`, `set_socket_port`, `take_screenshot`) ... `install(urls: list[str], hide_overlay: bool = True)` ... Install APK(s) from URL(s)

These methods allow broad remote operation of an Android device and installation of APKs from supplied URLs. The artifact does not describe approval prompts, device scoping, source allowlists, or rollback controls for these high-impact actions.

User impactAn agent using this skill could tap through apps, enter text, launch or stop apps, take screenshots, and install software on the connected Android device.

RecommendationUse only with a test or explicitly authorized device, require human confirmation before app installation or account-affecting actions, and restrict APK URLs and target devices.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none ... No code files present — this is an instruction-only skill.

The reviewed artifacts do not include the implementation for the documented Python clients or MCP server, so the clean static scan does not validate the actual code that would perform device-control actions.

User impactThe user cannot confirm from these artifacts alone how the referenced implementation handles tokens, network connections, screenshots, or APK installation.

RecommendationVerify the package source and implementation before using it with a real device or privileged Portal token.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Communicates with Portal's HTTP server ... using Bearer token authentication ... token="YOUR_TOKEN"

The token is expected for DroidRun Portal access, but it is a privileged credential because it authorizes device-control operations.

User impactAnyone or any agent with the Portal token may be able to control the Android device through DroidRun Portal.

RecommendationKeep the token private, rotate it if exposed, and use the least-privileged or shortest-lived token option available.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceMediumStatusNote

SKILL.md

Provides ... a built-in MCP server for communicating with Android devices running DroidRun Portal.

MCP support is purpose-aligned, but the artifact does not describe the MCP server's authentication, client restrictions, or data boundaries while it exposes sensitive device interaction capabilities.

User impactIf the MCP server is reachable by untrusted clients, they could potentially request device state, screenshots, or actions through the integration.

RecommendationRun any MCP server only on trusted interfaces, restrict clients, and avoid exposing it beyond the local trusted environment unless strong authentication is configured.