Andorid Flyverify Integration

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Android FlyVerify setup helper, but users should review its project-file edits, MobTech keys, Maven repository, and Gradle command before approving them.

Install/use this only on a project under version control or a backup branch. Review each proposed file change before approval, verify the Maven repository and FlyVerify dependency source, keep appKey/appSecret private, and run Gradle only after you are comfortable with the added repository and dependency resolution.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill does more than provide guidance: it instructs the agent to modify Gradle files, insert source code into user projects, and run build commands. Any skill that can alter project files or execute commands in a developer workspace increases supply-chain and integrity risk, especially because it adds remote repositories and dynamic dependencies without strong verification.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The declared boundary says the skill is limited to integration guidance, but the workflow includes creating files, editing project configuration, and inserting code. This mismatch can cause users or orchestration systems to grant the skill more trust than warranted, leading to unintended project modifications and reduced oversight.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal