android-lib-lookup
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script executes the system command javap to inspect compiled Java classes.
- Evidence: subprocess.run(['javap', ...]) in scripts/lookup_class.py.
- Context: The command is invoked securely using a list of arguments without a shell, using paths derived from local Gradle configuration to extract public API signatures.
- [DATA_EXFILTRATION]: The tool accesses local project files and cached build artifacts.
- Evidence: Accesses build.gradle, build.gradle.kts, and files within the ~/.gradle/caches directory.
- Context: This access is required for the tool to index classes and provide lookups. No network operations were detected; the tool only outputs data to stdout for agent consumption.
- [PROMPT_INJECTION]: The skill processes untrusted content from external libraries which creates a surface for indirect prompt injection.
- Ingestion points: Data is read from build.gradle files and extracted from classes.jar and sources.jar files in the local Gradle cache.
- Boundary markers: Results are presented in a structured JSON format which helps the agent distinguish tool output, though it lacks explicit instructions to ignore embedded commands.
- Capability inventory: The skill allows the agent to execute a Python script that can read local files and run the javap utility.
- Sanitization: The script extracts source code and Javadoc but does not perform sanitization to filter out potential injection strings.
Audit Metadata