android-agent
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly designed to let an AI control a real, logged-in Android phone, including sensitive apps, messages, purchases, and settings, without clear per-action approval limits.
Install only if you are comfortable giving an AI broad control over an Android phone. Prefer a spare device, avoid banking/payment and private messaging tasks, keep the phone visible while tasks run, do not store your phone PIN unless needed, and revoke accessibility/USB-debugging access after use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on a personal logged-in phone, the agent could send messages, place orders, change settings, or interact with financial apps based on the task and screen state.
This shows broad real-device control, including financial and transactional apps. The artifacts do not show approval gates or scoped limits before the agent takes high-impact actions.
Your AI can now open apps, tap buttons, type text, and complete tasks on a real phone. Book a cab, order food, check your bank app — anything you'd do with your thumbs.
Use only on a spare or test phone where possible, keep the screen visible, avoid banking/payment apps, and add manual confirmation requirements for purchases, messages, calls, or account changes.
Providing ANDROID_PIN lets the automation unlock and use the phone without the user manually unlocking it, expanding the agent's access to private apps, messages, accounts, and settings.
The script can take a phone PIN from an environment variable and type it through ADB to unlock the phone, giving the agent access to logged-in apps and account sessions on the device.
pin = os.environ.get("ANDROID_PIN") ... adb(serial, "shell", "input", "text", pin)Do not set ANDROID_PIN unless absolutely necessary. Prefer manual unlock, use a dedicated device, and log out of sensitive apps before running tasks.
Sensitive screen contents may be processed by OpenAI/DroidRun during task execution, including information from apps the user did not intend to share if it appears on screen.
The skill's core workflow sends or exposes phone-screen screenshots to an external LLM workflow. Those screenshots may contain SMS, email, banking, notification, or other private information.
Your AI agent sees the phone screen (via screenshots) ... Under the hood it uses DroidRun with GPT-4o vision.
Review the privacy policies of the provider stack, close sensitive apps and notifications before use, and avoid tasks involving confidential or regulated information.
Installing the wrong or compromised APK could give a third-party component broad ability to observe and interact with the phone UI.
The setup relies on a third-party APK with powerful accessibility permissions. The artifact does not provide a pinned APK version, checksum, or provenance verification.
Download from [DroidRun releases](https://github.com/droidrun/droidrun/releases) ... Or sideload: `adb install droidrun-portal.apk` ... grant accessibility permissions
Download only from the official DroidRun release page, verify versions/checksums if available, and remove the APK or revoke accessibility access when finished.
A privileged phone-control service may remain enabled after the user finishes using the skill.
The background accessibility service is disclosed and purpose-aligned, but it persists beyond a single task and remains a powerful control surface on the phone.
The DroidRun Portal APK must be installed and running on the phone. It provides the accessibility service ... Keep it running in the background.
Disable the accessibility service, revoke USB debugging authorization, or uninstall the Portal app when not actively using this skill.