ClawHub
Back to skill

Security audit

Android GUI Automation

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for Android phone automation, but it gives an agent broad control over a real device and logged-in apps without enough consent gates or scoping.

Install only if you intend to give an agent live control of an Android device. Prefer a dedicated phone or test accounts, avoid banking/messaging/authenticator apps, disable or manually gate posting, shell, file transfer, app clear/install, screenshots, UI dumps, and Telegram alerts, and review every public post or outbound notification before it is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill explicitly exposes a generic `shell` tool on the phone, which is far broader than GUI automation and enables arbitrary command execution on the connected Android device. In this context, an agent could read sensitive files, alter system settings, install persistence, or chain ADB-accessible actions well beyond what a user likely expects from screen automation.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
`app_install` and `app_clear` introduce destructive and privilege-amplifying behavior that is not necessary for normal GUI control. These capabilities can silently install software or wipe app state, causing account logout, data loss, or unauthorized software deployment on the device.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Exposing `get_logs` and `clear_logs` provides access to potentially sensitive diagnostic data and the ability to erase forensic evidence on the device. Those actions are unrelated to ordinary app UI automation and can facilitate privacy violations or concealment of harmful activity.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The file presents itself as supporting shopping/search and price-comparison workflows, but it actually exposes a general-purpose remote Android control surface: app launching/stopping, clicks, text entry, key presses, screenshots, and UI hierarchy extraction. This scope mismatch is dangerous because an MCP client expecting a narrow commerce helper can instead drive arbitrary device actions and access sensitive on-screen data, increasing the risk of covert surveillance or unauthorized device manipulation.

Vague Triggers

High
Confidence
94% confidence
Finding
The description says to use the skill for very broad categories such as phone automation, app control, screen scraping, posting, and human-like phone operation across all Android apps. Such broad activation criteria increase the chance the skill is invoked for unrelated or unsafe tasks, causing an agent to access powerful device-control functions without sufficiently specific user intent.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill advertises destructive and privacy-sensitive capabilities including clipboard access, file transfer, app management, shell execution, and log access without prominent safety warnings or consent requirements. In a device-control context, these are dangerous because they enable exfiltration, tampering, and destructive changes to a user's phone under the guise of routine automation.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The examples normalize autonomous content posting and sending comparison results to Telegram without highlighting user impact, account risk, or privacy implications. This makes unsafe automation appear routine and can lead agents to publish, transmit, or act on behalf of users without informed approval.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script can automatically publish content to Xiaohongshu without any confirmation, dry-run mode, or visible user consent step. In an agent/automation context, that increases the risk of unintended public posting, account misuse, spam, or reputational harm if the function is invoked with incorrect or adversarial content.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The Douyin posting workflow similarly performs public publishing actions without a user-facing warning or approval step. Even though the implementation is incomplete, the design enables automated social-media posting, which is risky in an agent skill because it can be triggered to publish unwanted or abusive content from a logged-in account.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script transmits monitored product keywords and pricing data to Telegram, which is an external third-party service, without any explicit consent flow, warning, or data-handling notice in the script logic. In this skill context, the data is not highly sensitive by itself, but it still leaves the device and may reveal user interests, monitoring habits, or shopping behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The screenshot tool captures the full current screen and writes it to a caller-controlled path without any consent gate, redaction, or warning. Screens may contain credentials, messages, tokens, financial data, or personal information, so exposing this as a raw MCP tool creates a straightforward privacy and data-exfiltration risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
This tool not only captures the entire screen but also returns the image contents directly as base64, making exfiltration trivial for any connected MCP client. Because the data is immediately serialized and transmitted for AI processing, it materially lowers the barrier to extracting highly sensitive visual information from the device.

Missing User Warnings

High
Confidence
98% confidence
Finding
Dumping the full UI hierarchy exposes structured on-screen text, labels, content descriptions, and element metadata that can include sensitive personal or security-relevant information. In practice this can reveal messages, account identifiers, transaction details, or UI elements useful for targeted automation, making it both a privacy and attack-enablement issue.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.