Android Remote Browser Debug
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Android browser debugging skill, but it can inspect and run JavaScript in a live mobile browser session, so users should use it only on intended pages and clean up any saved debug output.
Install only if you intentionally want the agent to debug an Android browser via USB/ADB. Before use, verify the device and target tab, close unrelated sensitive pages, review any JavaScript to be executed, and remove ADB forwards plus temporary output files after debugging.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong tab or with unsafe JavaScript, the agent could read page data or change page state in the user's mobile browser session.
The skill documents using raw Chrome DevTools Protocol commands to evaluate arbitrary JavaScript in the connected mobile browser. This is central to the debugging purpose, but it can affect whatever authenticated page is selected.
method: 'Runtime.evaluate', params: { expression: 'YOUR_JS_HERE', returnByValue: true }Use it only after confirming the connected device and target tab, and review JavaScript expressions before running them.
The agent may be able to inspect pages, network activity, DOM contents, screenshots, and session-backed web app state from the connected phone browser.
Forwarding the browser DevTools socket gives local access to the phone browser's current tabs, which may include authenticated sessions. This is expected for remote debugging but should be treated as privileged access.
/Users/song/Library/Android/sdk/platform-tools/adb forward tcp:9222 localabstract:chrome_devtools_remote
Close unrelated sensitive tabs, use a trusted device, and disconnect/remove the ADB forward when debugging is finished.
The skill may fail or use whatever local ADB/Node/ws installation is available, so tool provenance is left to the user.
The instructions rely on local tools and a Node WebSocket dependency, while the registry metadata declares no required binaries or install specification. This is not suspicious by itself, but users must supply and trust these local dependencies.
ADB 已安装(Android SDK platform-tools) ... const WebSocket = require('ws');Install ADB and Node dependencies from trusted sources and adjust the hard-coded ADB path to the user's own SDK location.
Debug artifacts may remain on disk after the session and could include private web page or app data.
The skill recommends redirecting debug output to temporary files. Since the same skill can collect DOM snapshots, network information, console logs, and screenshots, those files may retain sensitive page content locally.
node tmp_phone_debug.js > /tmp/phone_out.txt 2>&1
Delete temporary output files after debugging and avoid capturing sensitive pages unless necessary.