Skills
skills/lv416e/dotfiles/firebase-apk-scanner/Gen Agent Trust Hub

firebase-apk-scanner

Fail

Audited by Gen Agent Trust Hub on Feb 28, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill's workflow and manual testing sections directly interpolate the $ARGUMENTS variable into shell commands without protective shell quoting. This occurs in multiple instances:
  • ls -la $ARGUMENTS in the validation step.
  • {baseDir}/scanner.sh $ARGUMENTS when executing the main scanner script.
  • apktool d -f -o ./decompiled $ARGUMENTS in the manual testing instructions.
  • An attacker could exploit this by providing a string containing shell metacharacters (e.g., ;, &, |) to execute unauthorized commands on the underlying system.
  • [EXTERNAL_DOWNLOADS]: The skill utilizes curl to interact with remote Firebase and Google API endpoints for security testing purposes. It targets well-known services including identitytoolkit.googleapis.com, firebaseio.com, firestore.googleapis.com, and firebasestorage.googleapis.com. These network operations are consistent with the skill's intended functionality of auditing Firebase backends.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 28, 2026, 10:35 PM