Back to skill

Security audit

Devicebase

Security checks across malware telemetry and agentic risk

Overview

The skill is a straightforward usage guide for a remote mobile-device control CLI, with sensitive capabilities disclosed but needing caution around installers, credentials, screenshots, and device consent.

Install only if you trust Devicebase and need remote mobile-device automation. Use it only on devices and accounts you are authorized to control, review the remote installer before running it, keep DEVICEBASE_API_KEY private, and be careful because screenshots, hierarchy dumps, and text-entry commands can expose personal data or credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation guidance is broad enough to trigger this skill for many generic automation requests without first establishing user intent, authorization, or data sensitivity. In a skill that can remotely control devices, launch apps, capture screenshots, inspect UI hierarchy, and input credentials, overbroad activation increases the chance of privacy-invasive or unauthorized actions being performed in the wrong context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages screenshot capture and UI hierarchy dumping without warning that these outputs may contain sensitive personal data, secrets, MFA prompts, tokens, messages, or account details. Because the tool targets live remote devices across Android, HarmonyOS, and iOS, silent collection or storage of these artifacts materially increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The text input examples include login-style automation with usernames and passwords but provide no warning about handling credentials safely. In a remote device-control skill, normalizing credential entry without guidance can lead to plaintext secrets in prompts, shell history, logs, transcripts, screenshots, or automation artifacts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.