v2.1.0

Mobilerun

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:51 AM.

Analysis

Mobilerun appears purpose-aligned for phone automation, but it grants very broad control over a connected Android device and sensitive apps, so it should be reviewed carefully before use.

GuidanceInstall this only if you are comfortable giving an AI agent broad control over a connected Android device. Prefer a test or dedicated device, confirm any public, financial, messaging, purchase, app-install/delete, or shell-command action, monitor cloud-device billing, and revoke the API key or disable Accessibility when finished.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

"If a device is ready, go straight to executing the user's request" ... "Only ask the user when something is genuinely ambiguous."

The skill tells the agent to proceed without routine confirmation once a device is ready, which is risky for a tool that can control real apps and accounts.

User impactThe agent could quickly act on a misinterpreted request and tap, type, post, send, or change things on the phone before the user has reviewed the exact action.

RecommendationRequire explicit user confirmation for purchases, payments, public posts, messages, account changes, app installs/deletes, shell commands, and sensitive apps such as banking or health apps.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

references/use-cases.md

- **Social Media:** "Post a photo on Instagram" ... - **Messaging:** "Read my WhatsApp messages", "Send a message on Telegram to Mom" ... - **Data:** ... "Open my banking app and check my balance"

The documented examples include private message access, public social actions, direct messaging, and banking-app use, all of which are high-impact phone/account actions.

User impactA mistake or overly broad instruction could expose private communications or cause visible actions on social, messaging, or financial apps.

RecommendationUse a dedicated/test device where possible, keep the requested app and action tightly scoped, and require step-by-step confirmation for sensitive apps or account-affecting workflows.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

references/troubleshooting.md

POST /devices/{deviceId}/shell
{"command": "am start -a android.intent.action.MAIN -n com.android.vending/.AssetBrowserActivity"}

The documentation exposes a raw Android shell-command endpoint; even though the example is for launching the Play Store, the endpoint is a broad escape hatch.

User impactShell commands can bypass safer high-level phone-control actions and may alter apps, settings, or device state if used incorrectly.

RecommendationPrefer scoped API actions over shell commands, and only run shell commands after the user has reviewed the exact command and expected effect.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Always terminate cloud devices (`DELETE /devices/{deviceId}`) when you're done using them ... This applies whether you provisioned the device yourself or finished a task on an existing cloud device

The skill instructs the agent to delete/terminate cloud devices as cleanup, including devices it did not necessarily create in the current task.

User impactA cloud device could be shut down unexpectedly, interrupting work, losing transient device state, or affecting billed cloud resources.

RecommendationAutomatically terminate only devices created for the current task, and ask before terminating any pre-existing or ambiguous cloud device.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

references/security.md

The Portal app is distributed as an APK from GitHub Releases ... installed outside the Play Store

The required phone-side app is sideloaded from GitHub rather than installed through the Play Store; this is disclosed and expected for this setup.

User impactInstalling a high-permission APK from outside an app store carries normal provenance and update-trust risks.

RecommendationDownload only from the official Mobilerun/Droidrun links, verify the GitHub repository/release, and avoid installing APKs from third-party mirrors.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

references/security.md

`MOBILERUN_API_KEY` ... used solely for authenticating API requests ... requires the **Accessibility Service** permission ... Read the UI element tree ... Simulate taps, swipes, and text input

The skill uses a bearer API key plus Android Accessibility permission to access and control connected devices; this is disclosed and central to the purpose, but highly privileged.

User impactAnyone or anything using the configured credential and connected Portal app can control the authorized device through the Mobilerun account.

RecommendationUse a revocable key, monitor connected devices, disconnect or revoke the key when finished, and disable the Accessibility service when you no longer need remote control.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

references/security.md

**Screenshots and UI tree data** may contain personal information visible on the user's screen (messages, emails, photos, etc.).

The skill intentionally retrieves screen and UI context that may include sensitive personal content; the artifacts disclose this and say it is fetched on demand.

User impactPrivate screen contents can become part of the agent's working context during a task.

RecommendationAvoid opening unrelated sensitive screens, ask for confirmation before summarizing or sharing private content, and keep chat output limited to what the user requested.