Android Dev Agent

Security checks across malware telemetry and agentic risk

Overview

This Android development skill asks for broad build and file-editing abilities, but they are disclosed and match its AOSP/ROM development purpose.

Install this only for workspaces where you are comfortable letting the agent run Android build and source-analysis commands. Use a dedicated checkout or sandbox, and review commands before large repo syncs, builds, or patch writes because they can use significant resources and change local files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to create directories, run Bash build/analysis commands, and write files, but it does not require explicit user confirmation or warn about filesystem and command-execution side effects. In an agent setting with Bash/Edit/Write tools, this can lead to unintended state changes, resource-heavy builds, or destructive commands being executed based only on task matching.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal