operate-android-devices-with-bochi
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes
adb(Android Debug Bridge) commands to interact with connected Android devices. This includes taking UI dumps (uiautomator dump), simulating input events (input tap,input text,input swipe), and querying screen dimensions (wm size). These operations are the primary and intended function of the tool for automating Android interactions. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a potential surface for indirect prompt injection. It reads the UI hierarchy from an external Android device and prints the raw XML content of matched elements to the agent's console. If an application on the device displays malicious text (e.g., instructions meant to override the agent's behavior), the agent could process this text as part of its instructions.
- Ingestion points: The UI hierarchy is retrieved in
src/ui_element.rsviaadb shell uiautomator dumpand read from/sdcard/window_dump.xml. - Boundary markers: No explicit delimiters or 'ignore' instructions are wrapped around the XML output in
src/main.rsbefore it is printed to the agent. - Capability inventory: The skill can execute various ADB commands to manipulate the device, which could be abused if an agent follows injected instructions.
- Sanitization: The skill performs XML attribute escaping (handling
&,<,>, and") insrc/ui_element.rs, which prevents malformed XML but does not filter the semantic content of the text for potential injection strings.
Audit Metadata