android-build
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill instructs users to run
sudo apt-get install, which grants root privileges to install system-wide packages. - COMMAND_EXECUTION (HIGH): The documentation includes the command
adb shell su -c "setenforce 0", which allows executing commands with root privileges on connected devices and explicitly disables SELinux, a critical security enforcement layer. - REMOTE_CODE_EXECUTION (HIGH): The skill uses the pattern
curl [URL] > [file] && chmod a+x [file]to download and execute therepotool. While the source is a trusted Google domain, the method of fetching and executing scripts outside of a package manager is inherently high-risk. - EXTERNAL_DOWNLOADS (LOW): Downloads the
repoutility fromstorage.googleapis.com. This is considered a trusted source within the Android development ecosystem, which downgrades the download risk itself per security protocols. - DATA_EXFILTRATION (LOW): Recommends the use of
./gradlew --scan, which is a feature that uploads build metadata, environment details, and performance data to Gradle's external servers for analysis.
Recommendations
- AI detected serious security threats
Audit Metadata