Android Adb Skill

Security checks across malware telemetry and agentic risk

Overview

This Android ADB skill appears useful for device testing, but it gives an agent broad device-control abilities without enough explicit user confirmation for disruptive actions.

Install only if you intentionally want an agent to control Android devices through ADB. Before using it, confirm the exact connected device and package name, and require a manual confirmation before uninstalling apps, clearing app data, force-stopping apps, rebooting, or running shell commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 95% confidence
Finding: The skill defines activation triggers using very broad everyday phrases like '试一下', '看看效果', and '帮我装一下', then mandates immediate ADB device detection and follow-on actions whenever Android context is present. This can cause unintended invocation of a powerful device-control skill, increasing the chance of executing sensitive operations on connected devices without sufficiently explicit user intent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill includes destructive or disruptive capabilities such as uninstalling apps, clearing app data, force-stopping apps, and rebooting devices, but does not require explicit warnings or confirmation about data loss, service interruption, or device state changes. In an automated assistant context, this omission materially raises the risk of accidental harmful actions against user devices and data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal