Trust Assessment
android-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential for command injection via unsanitized user input in ADB commands, Broad access to Android device filesystem and command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential for command injection via unsanitized user input in ADB commands The skill provides examples of executing various `adb` commands, including `adb shell` commands (e.g., `adb shell monkey`, `adb shell input text`, `adb shell uiautomator dump`, `adb shell screencap`) and host-level `adb` commands (e.g., `adb pair`, `adb connect`, `adb pull`). Many of these commands take user-controlled arguments such as `<package_name>`, `<ip>`, `<pairing_port>`, `<pairing_code>`, `<connection_port>`, `<x>`, `<y>`, `<keycode>`, `<x1>`, `<y1>`, `<x2>`, `<y2>`, `<duration_ms>`, `<seconds>`, and especially `<text>`. The skill itself explicitly warns about handling quoting carefully for `adb shell input text "<text>"`, indicating a known vulnerability if this argument is derived from untrusted user input without proper sanitization. An attacker could inject arbitrary shell commands on the Android device (via `adb shell`) or on the host machine (via `adb` commands or `sleep`). Implement robust input sanitization and validation for all user-provided arguments passed to `adb` commands and other shell commands (like `sleep`). Ensure that shell metacharacters are properly escaped or that arguments are passed as distinct parameters to `subprocess` calls rather than concatenated into a single shell string. For `adb shell input text`, specifically, ensure the `<text>` argument is thoroughly sanitized to prevent injection on the Android device. | LLM | SKILL.md:28 | |
| HIGH | Broad access to Android device filesystem and command execution The skill grants the ability to execute arbitrary `adb` commands, including `adb shell` for command execution on the connected Android device, and `adb pull` for retrieving files from the device. While these are core functionalities of an Android automation skill, they represent a significant security risk if misused. An LLM agent, if prompted maliciously, could use `adb pull` to exfiltrate sensitive files from the Android device (e.g., `/sdcard/Download/passwords.txt`, `/data/data/com.example.app/shared_prefs/creds.xml`) or execute destructive commands via `adb shell`. The skill provides examples of pulling `view.xml` and `screen.png`, demonstrating the capability. Implement strict access controls and validation on file paths and commands that can be passed to `adb pull` and `adb shell`. Consider whitelisting allowed file paths or command patterns. Ensure the LLM agent is constrained to only use `adb` for its intended, safe operations and cannot be prompted to exfiltrate arbitrary files or execute arbitrary commands. Limit the scope of `adb` access to only what is strictly necessary for the skill's function. | LLM | SKILL.md:38 |
Scan History
Embed Code
[](https://skillshield.io/report/4e1184302b8bed18)
Powered by SkillShield