The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides numerous examples of executing system commands via the android CLI. These include creating/deleting virtual devices (android avd create/delete), managing SDK packages (android sdk install/uninstall), and configuring .NET workloads (android sdk/jdk dotnet-prefer). While these are legitimate functions of the tool, they grant the agent significant control over the development environment.
[EXTERNAL_DOWNLOADS]: The skill documents commands that fetch content from the internet. Specifically, dotnet tool install -g AndroidSdk.Tool downloads the CLI tool itself, and android sdk download fetches Android SDK command-line tools. These operations rely on the integrity of the remote repositories and network connections.
[REMOTE_CODE_EXECUTION]: The command android device install --package <apk-path> enables the installation of third-party Android application packages (APKs) onto connected devices or emulators. Executing these applications constitutes remote code execution on the target device.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data from external sources.
Ingestion points: Data enters the agent's context through android apk manifest info (reading APK files in references/apk-commands.md) and android device info (reading device properties in references/device-adb.md).
Boundary markers: There are no instructions or delimiters provided to warn the agent to ignore potentially malicious instructions embedded within the APK manifests or device property strings.
Capability inventory: The agent has the capability to execute commands (dotnet tool install), download files (android sdk download), and install/execute code on devices (android device install).
Sanitization: There is no evidence of sanitization or validation of the external data before it is presented to the agent's context.

android-cli