pokeclaw-android-ai-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill's tools accept arbitrary text (e.g., input_text, send_message) and the dispatcher returns/logs those exact strings (e.g., Typed: "…") back into the agent history, meaning the LLM may need to emit secrets verbatim in tool calls and will have those secrets echoed in outputs—allowing exfiltration (cloud API key usage is read from env, which is safe, but the tool-return behavior creates the risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's ModelManager explicitly downloads a Gemma model from a public HuggingFace URL (modelUrl in ModelManager.kt) and the downloaded external model is loaded as the on-device LLM that drives tool calls and decisions, so untrusted third‑party content can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's ModelManager downloads the runtime LLM from https://huggingface.co/google/gemma-4-e2b-it-litert/resolve/main/model.litertlm, which is a required runtime dependency and directly controls the agent's outputs/behavior.