ClawHub

android-auto-controller

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Android automation purpose, but it gives broad phone-control power and sends full screenshots to a configurable VLM endpoint without enough scoping or runtime consent.

Install only after review. Use a test phone or non-sensitive profile, prefer a trusted local VLM endpoint, avoid banking, passwords, one-time codes, private chats, and work data on screen, personally confirm sends/purchases/account changes, and disable USB debugging or remove ATX when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill requires sensitive environment-provided configuration and enables code-driven device control, but it does not declare permissions or clearly communicate that it can access secrets and drive an attached Android device. This weakens platform-level consent and review, making it easier for the skill to be invoked without users understanding the operational scope.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill claims that real screen visual feedback is the only basis for decisions, but the documented behavior also includes UI tree/text extraction, device/app introspection, direct app launching, and transmission of screenshots to an external VLM endpoint. This mismatch can mislead users and reviewers about what data is collected and what control paths exist, causing underestimation of privacy and execution risk.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The function captures full screenshots and sends them to a configurable VLM endpoint, which may expose sensitive on-screen information such as messages, tokens, financial data, or personal content to an external service. Because the endpoint is environment-configurable and the manifest does not disclose this data flow, users and integrators may unknowingly transmit highly sensitive mobile screen contents off-device.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation condition is very broad, covering generic requests to operate a phone without strong scope limits or risk boundaries. That increases the chance the skill will trigger for sensitive actions such as messaging, payments, settings changes, or app navigation where the user did not intend autonomous device control.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This code transmits full-screen screenshots to a VLM service for element finding without any user-facing warning or consent mechanism. Since mobile screens often contain private conversations, one-time codes, banking details, and other sensitive data, silent transmission creates a meaningful privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The planning path also captures and uploads complete screenshots, meaning sensitive on-screen data can be continuously exfiltrated during routine agent operation. In this skill context, the agent is explicitly designed to inspect and control arbitrary Android apps, which increases the likelihood it will process highly sensitive screens and makes undisclosed remote transmission more dangerous.

Hidden Instructions

High
Category
Prompt Injection
Content
# 📱 Android Auto Controller (安卓视觉自动化控制)

> **🧑‍💻 以下内容为人类用户阅读的安装与配置指南**

这是一个为 OpenClaw 打造的硬核安卓手机控制技能。它通过连接外部的 **视觉大模型 (VLM)** 作为智能体的“眼睛”,配合 `uiautomator2` 作为“手”,让你的数字员工能够像真人一样感知手机屏幕、自动跳过开屏广告、处理系统弹窗,并完成复杂的跨 App 任务。
Confidence
72% confidence
Finding

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal