ClawHub

Android Smssdk Integration

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal Android SMSSDK integration helper, with the main caution that its trigger phrases are broad enough to activate unintentionally.

Install this if you specifically want help integrating MobTech SMSSDK in an Android project. Before allowing edits, confirm the project path and review proposed Gradle, manifest, and source-code changes; avoid relying on generic SMS-verification requests to invoke it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
These trigger phrases are broad natural-language requests that many assistants or users could say in ordinary Android development conversations, increasing the chance of unintended skill invocation. In a skill that proposes project modification workflows, accidental activation can cause confusing guidance, misapplied changes, or disclosure of integration steps when the user did not explicitly request this specific SMS SDK.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Standalone keywords like '短信验证码' or 'SMSSDK 集成' are generic enough to match many unrelated support requests, especially in ecosystems with multiple SMS providers and verification implementations. This makes over-triggering more likely and can route users into a specialized integration workflow that is not appropriate for their stack, leading to erroneous advice or unintended file-edit flows.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases include broad marketing-style requests such as '快速接入短信验证' and '自动配置 SMSSDK', which may cause the skill to activate in contexts where the user did not intend filesystem edits or project modification. In this skill, unintended invocation is more dangerous because later steps ask for project paths and propose modifying Gradle files and source code.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal