skills/openharmonyinsight/openharmony-skills/android-to-harmonyos-migration-workflow/Gen Agent Trust Hub
android-to-harmonyos-migration-workflow
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The UI_COMPARE.md reference document provides code templates that use subprocess.run with shell=True to execute hdc (HarmonyOS Device Connector) commands for launching and interacting with applications on mobile devices.
- [PROMPT_INJECTION]: The skill demonstrates an attack surface for indirect prompt injection (Category 8) by processing untrusted external source code. 1. Ingestion points: Android source files (Java, Kotlin, XML) are read from user-provided local directories by scripts such as analyze.py and migrate.py. 2. Boundary markers: The processing scripts do not implement delimiters or instructions to ignore potential commands embedded within code comments or metadata. 3. Capability inventory: The workflow includes file system write access (via migrate.py) and the ability to execute hdc shell commands on connected hardware. 4. Sanitization: Content from the source files is read and processed using regular expressions without specific sanitization against embedded natural language instructions.
Audit Metadata