android-emulator-skill
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the Python
subprocessmodule to execute system binaries includingadb,gradlew, and the Androidemulator. Specifically,scripts/common.py,scripts/build_and_test.py,scripts/log_monitor.py, andscripts/emulator_manage.pyusesubprocess.runandsubprocess.Popento perform lifecycle tasks. While these are necessary for the skill's primary purpose, they represent a significant capability surface. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests and processes untrusted data from the Android device/emulator environment.
- Ingestion points:
scripts/screen_mapper.pydumps the UI hierarchy viauiautomator, andscripts/log_monitor.pystreams system logs viaadb logcat. Both scripts parse this external data and present it to the agent. - Boundary markers: There are no explicit boundary markers or 'ignore' instructions implemented in the output of the data-parsing scripts to distinguish between tool instructions and ingested UI/log content.
- Capability inventory: The skill allows the agent to launch/terminate applications, input text, perform gestures, and trigger Gradle builds (
scripts/app_launcher.py,scripts/navigator.py,scripts/build_and_test.py). - Sanitization: The skill employs some defensive measures, such as using
shlex.quoteinscripts/keyboard.pyandscripts/navigator.pyto sanitize text inputs before passing them to the shell, which reduces the risk of direct command injection.
Audit Metadata