ClawHub

Appium Android Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill does what an Android automation bridge would do, but it has under-disclosed high-impact control paths and an app-specific implementation that does not match its generic description.

Review this carefully before installing. Use it only on a trusted machine and authorized test device, avoid sensitive apps, and do not run it in multi-user or untrusted local environments. The publisher should remove the broad Appium insecure flags, replace /tmp IPC with a private authenticated channel, document the persistent daemon and auto-launch behavior, and either make the bridge truly generic or clearly label it as targeting com.MobileTicket/12306.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return
    except Exception:
        pass
    subprocess.Popen(
        ["appium", "--allow-insecure", "all", "--relaxed-security",
         "--log", "/tmp/appium.log"],
        env={**os.environ, "ANDROID_HOME": os.path.expanduser("~/Library/Android/sdk"),
Confidence
96% confidence
Finding
subprocess.Popen( ["appium", "--allow-insecure", "all", "--relaxed-security", "--log", "/tmp/appium.log"], env={**os.environ, "ANDROID_HOME": os.path.expanduser("~/Library

Tainted flow: 'result' from pathlib.Path.read_text (line 278, file read) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
except Exception as e2:
                    result = {"ok": False, "error": str(e2)[:300]}

            RESP_FILE.write_text(json.dumps(result, ensure_ascii=False, default=str))

        time.sleep(0.1)
Confidence
94% confidence
Finding
RESP_FILE.write_text(json.dumps(result, ensure_ascii=False, default=str))

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes powerful capabilities including shell, file read/write, network access, and environment access, but declares no permissions or safety boundaries. In a skill that can start daemons and control a connected Android device, this omission prevents informed consent and weakens policy enforcement, making misuse or unexpected side effects more likely.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior presents the skill as a generic Appium bridge, but the implementation reportedly hardcodes a specific target app, launches it automatically, uses app-specific parsing heuristics, and exposes undocumented lifecycle and IPC behavior. This mismatch is security-relevant because users and orchestrators may grant trust or invoke the skill under false assumptions, leading to unintended app interaction, hidden persistence, and unreviewed communication channels.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill can read UI state and inject taps, scrolling, and typing into any Android app, but the description does not clearly warn that it can perform broad UI control on a connected device. In this context, that omission is dangerous because the skill is effectively a high-privilege automation bridge capable of interacting with sensitive apps, approving prompts, or entering data without the user appreciating the scope of control.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The metadata description is broadly scoped ('Read and control any Android app') and does not define clear activation constraints, authorization boundaries, or limiting conditions. In an agent ecosystem, this can cause over-invocation or use in sensitive app contexts, increasing the chance of unintended interaction with arbitrary applications and device data.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Using fixed filenames under `/tmp` for command, response, and lock state creates a shared-system attack surface with risks including command injection by other local users/processes, response spoofing, symlink attacks, and leakage of screen contents. In a skill that can read and control a mobile app, that local IPC weakness is more dangerous because it grants indirect access to app actions and data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Launching Appium with --allow-insecure all and --relaxed-security materially weakens Appium's security model and exposes powerful automation features that are normally restricted. Even though the service binds to 127.0.0.1 here, any local process or a port-forwarded/compromised local environment could abuse the Appium server to interact with the connected Android device or invoke insecure endpoints.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal