android-emulator-skill
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The script
scripts/build_and_test.pyautomatically searches for and executesgradlewin the current or parent directories. This pattern allows for arbitrary code execution if the agent is operating within an untrusted project directory containing a malicious Gradle wrapper. - [DATA_EXPOSURE] (MEDIUM):
scripts/log_monitor.pyandscripts/screen_mapper.pyextract system logs and UI hierarchies. These sources frequently contain sensitive information, including PII, authentication tokens, and private user data, which are then ingested into the agent's context. - [INDIRECT_PROMPT_INJECTION] (LOW):
- Ingestion points:
scripts/screen_mapper.py(UI XML dump) andscripts/log_monitor.py(ADB logs). - Boundary markers: Absent. UI text and log messages are processed without delimiters or warnings to the agent to ignore embedded instructions.
- Capability inventory: Significant. The skill allows app installation/uninstallation, text entry, and shell command execution via ADB.
- Sanitization: Absent. Text from external apps is used directly for navigation and logic, allowing an attacker-controlled app to potentially influence agent behavior via on-screen text.
- [COMMAND_EXECUTION] (LOW): Many scripts use
subprocessto calladb. While inputs like package names and coordinates are generally handled via argument lists,scripts/log_monitor.pyattempts to manually construct a command string forgrepwhich, if modified to useshell=Truein the future, would be highly vulnerable to injection.
Audit Metadata