ClawHub

android-agent

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about controlling an Android phone, but it gives an AI broad access to an unlocked device and sensitive apps without strong built-in safeguards.

Install only for a spare or test Android device you are comfortable exposing to AI control. Avoid personal banking, MFA, medical, email, and private messaging accounts; do not use your real phone PIN in the environment; manually confirm purchases, messages, calls, and account changes; prefer USB or an SSH tunnel over WiFi ADB; and disable ADB debugging plus DroidRun Accessibility permissions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
These examples encourage the agent to read SMS, email, and chat content and to send messages on the user's behalf without any caution about privacy, consent, or accidental disclosure. In an agent skill context, showcasing such actions as copy-paste-ready tasks normalizes sensitive account access and message exfiltration, which could lead users to run invasive operations without understanding the risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The task examples include checking a bank balance and ordering goods or services, which can expose financial information or trigger real-world transactions, yet no warning is provided about monetary consequences, authentication prompts, or sensitive data handling. Because these are presented as normal one-line commands, users may execute high-risk financial or purchasing actions without adequate safeguards.

Missing User Warnings

Low
Confidence
89% confidence
Finding
Examples that change device settings or clear notifications can alter device state, hide important alerts, or disrupt connectivity, but the file provides no warning that these actions have side effects. While less severe than financial or messaging tasks, presenting them as direct copy-paste commands still creates avoidable risk of unintended system changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically unlocks a connected phone using the ANDROID_PIN environment variable and proceeds to operate the device without an explicit confirmation step. In a skill context that grants broad device control, this lowers a major security boundary and can enable unintended access to private apps, data, and transactions if the script is triggered in the wrong context or against the wrong device.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script captures the full device screen and writes it to a local file in /tmp by default, with no privacy warning, permission prompt, or file-permission hardening. In this context, screenshots may contain messages, MFA codes, account data, or other sensitive content, and storing them in a predictable temporary location increases exposure to other local processes or users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal