ClawHub

openclaw-android

Security checks across malware telemetry and agentic risk

Overview

This skill is an Android device controller that openly uses root-level commands, but it can delete app data, install or uninstall apps, list files, and persist typed text in logs without strong safeguards.

Install only if you intentionally want root-level Android automation, preferably on a dedicated test or managed device. Avoid using the text command for secrets, review and clean the /sdcard/Download logs, and require explicit human approval before clear, install, uninstall, screenshot, or filesystem-listing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill’s declared purpose understates its actual capabilities: beyond app control and screenshots, it also documents destructive app-management actions (clear/uninstall/install), generic file listing, privileged key events, and persistent logging under root. This mismatch is dangerous because agents or users may invoke the skill under a narrower trust model than warranted, while the documented root-backed actions can alter device state, destroy app data, and expose filesystem information.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest description omits destructive app-management capabilities such as clearing app data and uninstalling apps, even though they are documented later in the skill. This creates a misleading security boundary: orchestration systems or users may approve the skill for benign device control while unknowingly granting access to operations that can delete data or remove software.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The skill includes a general file-listing capability but does not disclose that in the manifest description. While listing files is less severe than destructive operations, on a rooted device it can reveal sensitive filesystem structure, filenames, or user data locations beyond what a caller expects from an app-control skill.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script exposes destructive package-management operations (`pm clear`, `pm install -r`, `pm uninstall`) that are not covered by the stated skill description, which only mentions app control, listing installed apps, UI interaction, and screenshots. Because the script also attempts root escalation up front, these hidden capabilities materially expand what the skill can do and could be abused to erase app data, replace software, or remove apps from the device.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The `ls` command provides arbitrary filesystem listing that is not described in the skill's purpose of controlling Android apps. On a rooted device, directory enumeration can expose sensitive paths and data, expanding the skill from app automation into broader host inspection without clear justification.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Arbitrary directory listing is not reasonably necessary for the stated app-control workflow and therefore represents unjustified capability creep. In this context, especially with prior root escalation, it increases the risk of reconnaissance over device contents and can help an attacker identify sensitive files or locations for follow-on abuse.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation description is broad enough to match many generic Android-control requests, which increases the chance the skill is invoked in contexts where root-privileged execution is unnecessary or inappropriate. Because the skill can perform sensitive operations on-device as root, overbroad routing materially raises misuse risk and weakens least-privilege boundaries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation presents app-data clearing and uninstall operations as routine commands without any explicit warning about irreversible data loss or service disruption. In a skill intended for agent use, that omission is dangerous because it normalizes destructive actions and makes accidental invocation or unsafe automation more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes root-privileged device control and screenshot capture without a clear privacy, integrity, or consent warning. In context, root access plus UI interaction and screen capture can expose sensitive information, manipulate apps, and bypass normal user protections, making the skill significantly more dangerous than ordinary device automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`pm clear` irreversibly deletes an app's local data, potentially removing user state, cached credentials, and unsynced content. The script performs this destructive action immediately based on arguments, with no confirmation, no dry-run mode, and no warning beyond a log entry, making accidental or coerced invocation more dangerous.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Uninstalling an application is a destructive operation that can remove software the user relies on and may also discard associated data. Because the script accepts a package name and executes the uninstall without any explicit confirmation or safety interlock, misuse or prompt injection through higher-level tooling could cause unintended app removal.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally invokes `su` before processing any command, meaning all subsequent operations may run with elevated privileges even when root is unnecessary. In a skill that already exposes app lifecycle control, input injection, screenshots, package management, and filesystem listing, unconditional privilege escalation substantially increases the blast radius of any misuse or compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal