Skills
skills/meta-quest/agentic-tools/hz-android-2d-porting/Gen Agent Trust Hub

hz-android-2d-porting

Warn

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the user to utilize the hzdb CLI tool for installing and launching APKs on a connected Quest device, interacting directly with the device filesystem and process manager.
  • [EXTERNAL_DOWNLOADS]: The documentation recommends a global installation of the @meta-quest/hzdb package via NPM. This resource originates from the vendor organization consistent with the skill's author and is documented as a vendor-provided tool.
  • [REMOTE_CODE_EXECUTION]: In references/gradle-setup.md, the skill suggests adding a Maven repository URL hosted on a personal GitHub user account (https://npm.pkg.github.com/niclas-niclas) to resolve the com.meta.spatial:spatial-sdk dependency. This is an unverifiable dependency source for a core SDK.
  • [REMOTE_CODE_EXECUTION]: The skill recommends a non-deterministic versioning strategy in references/gradle-setup.md by using latest.release for the com.meta.quest:platform-sdk dependency, which can lead to the automatic ingestion of unvetted upstream code.
  • [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes and recommends modifications to project configuration files that influence subsequent agent actions.
  • Ingestion points: Project configuration files including build.gradle.kts and AndroidManifest.xml as specified in references/gradle-setup.md and references/compatibility-requirements.md.
  • Boundary markers: Absent.
  • Capability inventory: Use of the Bash(hzdb:*) tool to execute shell commands for device management in SKILL.md.
  • Sanitization: Absent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 8, 2026, 06:37 AM