Agent Device
Security checks across malware telemetry and agentic risk
Overview
This instruction-only skill matches its mobile automation purpose, but it can control apps and save diagnostic artifacts, so users should verify the external CLI and limit it to intended devices.
Before installing, make sure the agent-device CLI comes from a trusted, pinned source. Prefer simulators, test devices, and test accounts for autonomous runs. Keep logging and recording off unless needed, review and clear ~/.agent-device artifacts, protect any iOS signing variables, and require explicit approval for sensitive in-app actions.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may tap, type, open apps or URLs, and run short sequences on a mobile target, which could change app state or submit actions if pointed at a sensitive app.
This documents direct mobile UI mutation and batched execution. That is expected for a mobile automation skill, but it can affect the target app/device.
Normal UI task: `open` -> `snapshot -i` -> `press/fill` -> `diff snapshot -i` -> `close` ... `agent-device batch --steps-file /tmp/batch-steps.json --json`
Use it on intended simulators/devices and test accounts where possible, and require explicit confirmation before transactions, account changes, destructive actions, or other high-impact UI steps.
Running an untrusted or unpinned agent-device binary could give that executable the same device automation capabilities described by the skill.
The skill relies on an external CLI/package rather than bundled reviewed code. The artifact gives safer pinning guidance, but provenance still matters.
Prefer a preinstalled `agent-device` binary over on-demand package execution. If install is required, pin an exact version (for example: `npx --yes agent-device@<exact-version> --help`).
Install agent-device from a trusted source, pin exact versions, avoid ad-hoc package execution when possible, and verify the binary before using it with real devices or accounts.
Supplying signing or provisioning details may expose sensitive development-team configuration if copied into chat logs or committed to source control.
Physical iOS device setup may use signing/provisioning values. The artifacts mark them optional and sensitive, which is appropriate but still permission-relevant.
provide optional overrides: `AGENT_DEVICE_IOS_TEAM_ID`, `AGENT_DEVICE_IOS_SIGNING_IDENTITY`, `AGENT_DEVICE_IOS_PROVISIONING_PROFILE` ... Treat values as sensitive host configuration
Prefer Xcode Automatic Signing when possible, keep these variables unset unless needed, and never paste private keys or unrelated secrets into the agent context.
App logs may contain tokens, personal data, crash details, or other sensitive runtime information if logging is enabled.
Persistent logs can capture private app/runtime data and may be selectively introduced into the agent context during debugging.
App output is written to a session-scoped file so agents can grep it instead of loading full logs into context. ... Log files may contain sensitive runtime data; review before sharing and clean up when finished.
Keep logging off except during debugging, use bounded grep/tail views, configure redaction patterns when needed, and clear session logs after use.