ClawHub

Android Studio

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Android Studio helper with expected local memory and debugging guidance, but users should be careful with logs and saved preferences.

Install if you want an assistant to help with Android Studio workflows. Before sharing Logcat output, network captures, database exports, or screenshots, review and redact secrets, personal data, device identifiers, and internal URLs. Check ~/android-studio/memory.md if you want to review or remove saved IDE preferences and project context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance to save logs for sharing or later analysis omits an important warning that Logcat and exported logs can contain sensitive information such as tokens, PII, device identifiers, stack traces, URLs, and app state. In an Android debugging context this is realistically dangerous because developers may normalize collecting and distributing raw logs, increasing the chance of accidental data exposure during bug reports or collaboration.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The instruction to 'Start the conversation naturally' when a directory condition is met is broad and can cause the skill to activate without a clear user request for Android Studio help. That creates a consent and scope risk because the assistant may inject itself into unrelated conversations and begin collecting preferences or context prematurely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to save user-specific preferences to memory but does not tell the user that this information will be retained. This is risky because it can lead to silent persistence of behavioral and environment data, undermining user expectations around transparency and consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file explicitly defines persistent storage in ~/android-studio/memory.md for IDE version, platform, project types, pain points, and custom shortcuts without any warning or consent flow. Even though the data is not highly sensitive by itself, it is still user-specific profiling data that could accumulate over time and expose work habits or environment details.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal