ClawHub

mobizen-gui

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Android automation purpose, but it enables real phone control and model/API data flows without enough privacy and safety guardrails.

Install only if you intend to use real Android device automation. Use a test device or non-sensitive profile first, avoid financial/account/messaging tasks unless you directly supervise them, prefer trusted or local model endpoints for sensitive screens, protect API keys, keep ADB over USB where possible, and clean up screenshots, ADBKeyboard, wireless ADB, and model servers after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is very broad and can activate on generic terms like 'ADB', 'run agent', or 'configure model', increasing the chance the skill is invoked in situations where the user did not clearly consent to mobile-device automation. In this context, over-triggering is risky because the skill enables real Android control and can lead users into executing impactful device actions without clear guardrails or confirmation boundaries.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs users to configure remote model endpoints but does not warn that screenshots, UI state, typed content, and other device context may be sent to third-party APIs. Because this tool automates a live Android device, transmitted screenshots may contain highly sensitive information such as messages, financial apps, personal data, or credentials visible on screen.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description presents Android control and task execution as routine setup guidance without warning that the framework can perform real taps, typing, swipes, and system actions on a connected device. Missing this warning can cause users to underestimate the operational risk, especially when running tasks on personal or production devices.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal