Skills
skills/agentiveau/myagentive/android-use/Gen Agent Trust Hub

android-use

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it uses external, untrusted UI data to drive agent decision-making.
  • Ingestion points: The skill pulls UI hierarchy XML (window_dump.xml) and screenshots from a connected Android device via adb shell uiautomator dump and adb shell screencap.
  • Boundary markers: No boundary markers or instructions to ignore embedded instructions within the parsed UI text are present.
  • Capability inventory: The skill has high-privilege capabilities including arbitrary command execution via adb shell, input simulation (tap, type, swipe), and app management (launch/stop).
  • Sanitization: There is no evidence of sanitization or filtering of the UI text before it is processed by the agent. An attacker could display malicious instructions on the device screen (e.g., via a notification, a website in Chrome, or a malicious app) to take control of the agent.
  • [COMMAND_EXECUTION] (HIGH): The skill makes extensive use of adb shell to execute commands on the connected device. This includes input tap/text/keyevent, monkey for app launching, and am/pm for process and package management. If the agent is compromised via prompt injection, these commands can be used to perform unauthorized actions on the device.
  • [DATA_EXFILTRATION] (HIGH): The skill accesses highly sensitive data by dumping the full UI hierarchy and taking screenshots of the device. This data is stored in /tmp/screen.xml and /tmp/screen.png. While no direct network exfiltration is scripted, the agent is instructed to read this data, which could contain passwords, private messages, or PII visible on the screen.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on a local script scripts/parse_ui.py to process UI data. This script is not provided in the source for verification. Although the documentation references a trusted repository (anthropics/android-action-kernel), the actual script being executed is unverified.
  • [CREDENTIALS_UNSAFE] (LOW): Automated scanners flagged com.app as a malicious phishing URL. In the context of this skill, com.app appears to be used as a generic placeholder for an Android package name (e.g., com.app:id/submit_btn), but its presence in metadata and examples should be noted as a potential (though likely false-positive) risk.
Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:28 AM