agent-android
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
agent-androidCLI to perform various actions on a connected device, such as launching packages, simulating taps, and swiping. These commands are executed locally to facilitate the primary RPA functionality. - [DATA_EXFILTRATION]: The tool captures UI trees and screenshots from the mobile device. While this involves sensitive content, the instructions explicitly state that this data should remain on the phone and the controlling machine, and emphasizes seeking user confirmation before interacting with private apps.
- [INDIRECT_PROMPT_INJECTION]: The skill processes UI element text and descriptions from external Android applications, creating a surface for indirect prompt injection where malicious app content could attempt to influence the agent's logic.
- Ingestion points: UI trees and attribute data retrieved through the
agent-androidCLI (e.g.,list,get-attr). - Boundary markers: Absent. The skill does not define specific delimiters to separate UI data from instructions, although it recommends a human-in-the-loop workflow.
- Capability inventory: The agent can launch apps, input arbitrary text, and perform navigation actions based on the parsed UI content.
- Sanitization: No automated filtering or sanitization of retrieved UI strings is described in the provided workflow.
Audit Metadata