Back to skill

Security audit

Fix Universal Apk Installation

Security checks across malware telemetry and agentic risk

Overview

This skill is an APK repair helper, but it rewrites and re-signs a hard-coded APK using embedded signing details, so users should review and edit it before running.

Install only if you are comfortable editing the script first. Work on a copy of the APK, set explicit input and output paths, remove hard-coded signing passwords, use a dedicated non-production test key, avoid personal or production devices for sideloading, and verify the final APK before distributing or installing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to overwrite and modify the original APK in place, including repacking, aligning, and re-signing, without an explicit backup warning. This is dangerous because it can irreversibly alter the original artifact, destroy provenance, and cause users to lose a working or evidentiary copy of the APK.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script includes direct use of keystore material and hardcoded signing credentials without any warning about secrecy or safe handling. Exposing keystore paths and passwords can lead to unauthorized signing, compromise of app trust, and reuse of sensitive credentials beyond this workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script embeds keystore location, alias, and both keystore/key passwords directly in the file, then uses them for APK signing. Hardcoded secrets are easily exposed through source control, logs, backups, or local file disclosure, allowing unauthorized signing or reuse of the same credentials in other contexts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script forcefully deletes and overwrites files in /tmp and replaces the target APK in place without validation, backup, or confirmation. If paths are wrong, symlinked, or collide with other temporary content, this can cause data loss, clobber unrelated files, or produce unsafe behavior during execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.