termux-api
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill provides numerous commands to access sensitive personal data, including
termux-sms-list(messages),termux-contact-list(contacts),termux-call-log(call history), andtermux-location(GPS). It also enables hardware-based surveillance viatermux-camera-photoandtermux-microphone-record. If an agent is compromised or follows malicious instructions, this data can be easily exfiltrated via network commands. - [COMMAND_EXECUTION] (HIGH): The primary function of the skill is to execute shell commands over SSH on a remote device. This grants the agent a high degree of control over the target Android environment, including the ability to modify settings, set wallpapers, and interact with the system clipboard via
termux-clipboard-setandtermux-clipboard-get. - [EXTERNAL_DOWNLOADS] (LOW): The skill includes instructions for
termux-download <url>andtermux-open-url <url>, which allow the agent to trigger file downloads or open external web pages on the device, potentially leading to the delivery of malicious payloads.
Recommendations
- AI detected serious security threats
Audit Metadata