ClawHub

ClawMobile - Android Automation Toolkit

Security checks across malware telemetry and agentic risk

Overview

This Android automation skill is mostly coherent, but it needs Review because it can remotely control a device while shipping weak default authentication and broad network settings.

Install only if you intentionally want this skill to control an Android device. Before use, replace every default token, bind services to localhost or a trusted network, avoid exposing the API publicly, avoid storing real tokens in ~/.bashrc, and do not record or automate sensitive apps unless you understand where screenshots, UI trees, logs, task files, and responses are stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill documents a hardcoded default token value in configuration examples (for example, default_token entries), which can normalize insecure deployments and lead users to run an automation API with predictable credentials. In the context of an Android automation server capable of executing workflows, recording UI actions, and interacting with apps, weak default authentication can enable unauthorized device control and sensitive data access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The helper embeds explicit anti-detection behavior (`random_offset` and `random_delay`) into generated automation tasks by default. In an Android automation/RPA client, this can be used to make automated interactions appear less deterministic and evade bot-detection or platform safeguards, which exceeds a neutral client role and increases misuse potential.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This second helper repeats the same anti-detection defaults, making evasion behavior pervasive across task creation rather than incidental. Because it applies to text-input automation as well, it broadens the capability to automate interactions in ways designed to reduce detection by target applications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The changelog advertises UI operation recording, screenshot capture, and UI tree capture but provides no warning that these features can collect sensitive on-screen content, credentials, personal data, or app state. In an Android automation/RPA skill, documenting such capture capabilities without privacy constraints or consent guidance increases the risk of unsafe deployment and misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The changelog lists remote execution and management endpoints for executing workflows, stopping tasks, modifying workflows, and testing connections, but includes no warning about network exposure, authorization boundaries, or potentially destructive effects. For a tool designed for unattended Android automation and HTTP API control, omission of operational safety guidance materially increases the chance of insecure exposure or unintended high-impact actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad and overlap with ordinary user requests such as running workflows, recording actions, automation testing, and batch execution. In a skill that can control Android devices, record screens, call APIs, and potentially execute destructive actions like workflow deletion, unintended activation materially increases the chance of unauthorized or accidental operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises screen recording, UI tree capture, HTTP API access, AI intervention, and broad device automation but does not prominently warn about privacy, credential exposure, destructive actions, or operational risks. In this context, users may unknowingly automate sensitive apps or capture personal data, increasing the chance of misuse and unsafe deployment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code exposes automated text entry into arbitrary screen coordinates with no confirmation, restriction, or safety interlock before sending user-supplied text to the target UI. In the context of an Android automation/RPA tool, that can be used to submit messages, credentials, commands, or destructive form input to other apps, making unintended or abusive actions easier.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The executor provides direct click automation on arbitrary coordinates without any user-facing confirmation, policy check, or guardrail. In a mobile automation toolkit, such actions can trigger purchases, permission grants, message sends, navigation changes, or other sensitive UI effects in external applications, so silent execution increases misuse and accidental harm risk.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- `GET /workflows/{id}` - 获取工作流详情
- `POST /workflows` - 创建工作流
- `PUT /workflows/{id}` - 更新工作流
- `DELETE /workflows/{id}` - 删除工作流
- `POST /api/v1/workflows/{id}/validate` - 验证工作流

### 2. 录制功能 ⏺️
Confidence
80% confidence
Finding
DELETE /workflows/{id}`

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal