android-adb-toolkit
Warn
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/adb_helper.shpasses user-provided arguments (such as package names, component names, and IP addresses) into shell commands viaadb shellandadb connect. While variables are quoted, they are not sanitized against subshell execution or special characters, creating a risk of command injection on either the host machine or the connected Android device. - [DATA_EXFILTRATION]: The skill provides functions (
cmd_dump_prefsandcmd_dump_db) to extract private application data, including SharedPreferences and SQLite databases, from the connected Android device. This allows the agent to access potentially sensitive user information stored within third-party apps. - [COMMAND_EXECUTION]: The script attempts to execute commands with root privileges (
su -c) on the connected device to access restricted files and directories. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data.
- Ingestion points: The
logcatfunctions inscripts/adb_helper.shread and display real-time logs from the connected Android device. - Boundary markers: None. Logs are displayed directly in the agent context without delimiters or warnings.
- Capability inventory: The skill has extensive capabilities including file system access (via
adb pull/rm), application management (install/uninstall), and arbitrary command execution on the device (adb shell). - Sanitization: No filtering or sanitization is performed on the log output. An attacker could trigger logs containing malicious instructions to influence the agent's behavior.
Audit Metadata