harmony-hdc
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes 'hdc' (HarmonyOS Device Connector) system commands using 'child_process.spawnSync' with argument arrays. This implementation correctly avoids shell injection vulnerabilities on the host system while providing necessary device control capabilities.
- [DATA_EXFILTRATION]: The skill includes functionality to capture screenshots from a connected device and retrieve files using 'hdc file recv'. These operations are performed locally between the host and the device, with no evidence of external data transmission.
- [PROMPT_INJECTION]: An analysis of the indirect prompt injection surface was performed:
- Ingestion points: Command output from 'hdc shell aa dump -l' is processed in 'scripts/hdc_helpers.ts'.
- Boundary markers: None detected in the raw command output.
- Capability inventory: The script can execute arbitrary 'hdc shell' commands through the 'shell' subcommand.
- Sanitization: The script employs regex (e.g., '/[([^]]+)]/') to strictly extract application names and state information, which effectively mitigates the risk of processing malicious command output.
Audit Metadata