YZTurboWebAndroid

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Android WebView SDK integration guide; its JS bridge example needs normal secure implementation care but does not show hidden or malicious behavior.

Before installing or using this guide in a real Android app, verify the Gradle dependency source, review the SDK permissions and privacy behavior, and add origin allowlisting, permission checks, and data minimization to any JS bridge handlers that expose user data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The JS Bridge example returns user information directly to web content without showing any origin validation, authentication, permission gating, or user consent flow. In a WebView container that may load remote or mixed-trust H5 content, this pattern can expose sensitive native data to untrusted pages or injected scripts, making the example security-relevant rather than merely incomplete.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal