android-release-build-setup
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): An automated scanner (URLite) detected a malicious URL (Blacklist signature URC963ABB0F8500309-0200) associated with the 'proguard-rules.pro' file. The skill is designed to create and manage this file. Malicious URLs in build configurations can be used to facilitate supply chain attacks.
- [DATA_EXFILTRATION] (MEDIUM): The skill generates production keystores and stores credentials in cleartext (KEYSTORE_INFO.txt) and 'gradle.properties'. Accessing and modifying sensitive global configuration files like '~/.gradle/gradle.properties' is a high-privilege operation that poses a risk of credential exposure, although the skill correctly advises using .gitignore.
- [COMMAND_EXECUTION] (LOW): The skill executes './gradlew', which runs arbitrary code defined in the project's Gradle scripts. While standard for Android development, this represents an execution surface for untrusted project data.
- [INDIRECT PROMPT INJECTION] (LOW): The skill possesses an indirect injection surface. 1. Ingestion points: Android project files and Gradle scripts (SKILL.md). 2. Boundary markers: Absent. 3. Capability inventory: Subprocess execution of gradlew and jarsigner. 4. Sanitization: None. The skill assumes the project files are safe.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata