app-updater
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides logic to download and install Android application packages (APKs) from arbitrary remote URLs defined in a version manifest, which allows for the replacement of application code from a remote source.
- [EXTERNAL_DOWNLOADS]: Fetches external binaries and configuration files from remote endpoints. The process relies on the security of the hosting server (e.g., GitHub Pages or a private API) to prevent the distribution of malicious updates.
- [COMMAND_EXECUTION]: Instructs the use of high-privilege Android permissions, specifically 'REQUEST_INSTALL_PACKAGES', to trigger the OS-level installation intent for downloaded binaries.
- [REMOTE_CODE_EXECUTION]: The implementation lacks cryptographic integrity checks (such as file hashes or checksums) within the version manifest to verify the APK's authenticity before triggering the installation process, relying solely on standard Android signature verification.
Audit Metadata