adb
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill uses overly permissive wildcard patterns in the allowed-tools YAML frontmatter (e.g., Bash(adb pull*), Bash(adb shell cat*)). If these prefixes are evaluated in a shell context, they allow for command injection using metacharacters like semicolon, ampersand, or pipe, potentially leading to arbitrary code execution on the host machine.
- [DATA_EXFILTRATION] (MEDIUM): Commands such as adb pull* and adb shell cat* allow the agent to read and retrieve any file from the Android device that the ADB daemon has access to. This includes sensitive system information, application databases, and private user data. While intended for debugging, the lack of path constraints is a significant risk.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted data from the Android device through several channels.
- Ingestion points: adb logcat, adb bugreport, adb shell cat, and adb shell settings get retrieve data from the device that may be controlled by malicious third-party applications (SKILL.md).
- Boundary markers: The instructions in SKILL.md do not provide any delimiters or warnings to the agent to treat external device data as untrusted.
- Capability inventory: The skill possesses extensive inspection and data retrieval tools that could be abused if the agent is manipulated by injected instructions (SKILL.md).
- Sanitization: No sanitization or validation of the device-provided data is performed before it is processed by the AI.
Recommendations
- AI detected serious security threats
Audit Metadata