droid
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill automatically manages its own dependencies at runtime using a standard package manager.
- Evidence: The
scripts/droid-cli/droidandscripts/droid-cli/droid.ps1wrapper scripts executebun installif thenode_modulesdirectory is not found locally, fetching packages defined inpackage.json. - [COMMAND_EXECUTION]: The skill relies on executing external binaries to interact with Android hardware.
- Evidence: The
scripts/droid-cli/src/lib/adb.tslibrary usesBun.spawnwith an array of arguments to execute theadb(Android Debug Bridge) binary. This method is secure against host-side shell injection as it bypasses shell interpretation of arguments. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted UI data from third-party Android applications.
- Ingestion points:
scripts/droid-cli/src/lib/ui-hierarchy.tscaptures the Android device UI hierarchy via theuiautomator dumpcommand. - Boundary markers: UI elements are returned as structured data in a JSON array (
elements), but the text content of these elements is not wrapped in markers to warn the agent about potentially malicious instructions embedded in the UI. - Capability inventory: The skill provides extensive capabilities to control the device, including tapping, typing, launching apps, and sending arbitrary key events.
- Sanitization: No sanitization or filtering is performed on the text retrieved from the device UI before it is provided to the agent.
Audit Metadata