Trust Assessment
aster received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Direct shell command execution capability, Broad access to sensitive device data and control functions, Unpinned npm dependency in setup instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct shell command execution capability The skill exposes an `aster_execute_shell` tool that allows the AI agent to run arbitrary shell commands within the Android app's sandbox. While the description notes restrictions (no root, limited to app data/user-accessible storage, timeout, output limit), any direct shell execution capability presents a significant command injection vulnerability if the AI agent is compromised or given malicious instructions. An attacker could potentially use this to explore the sandbox, manipulate app data, or attempt sandbox escapes. Re-evaluate the necessity of direct shell execution. If required, implement strict allow-listing of commands and arguments, or provide higher-level abstractions instead of raw shell access. Ensure robust input validation and sanitization for any arguments passed to this tool. | LLM | SKILL.md:57 | |
| HIGH | Broad access to sensitive device data and control functions The skill grants the AI agent extensive permissions, including reading SMS, notifications, files, clipboard, and location, as well as sending SMS, making calls, writing/deleting files, and controlling UI gestures. While these are core functionalities, the cumulative breadth of these tools provides a compromised AI agent with significant control over the Android device and access to highly sensitive user data. The 'Proactive Event Forwarding' also explicitly sends sensitive data (SMS, notifications) to the AI agent, which could be misused if the agent is compromised. Implement fine-grained access control for the AI agent, allowing it to only use the minimum necessary tools for its specific tasks. Provide clear user consent mechanisms for sensitive operations. Ensure that the AI agent's environment is secure and that data received via event forwarding is handled with utmost care and not stored unnecessarily. | LLM | SKILL.md:47 | |
| MEDIUM | Unpinned npm dependency in setup instructions The setup instructions recommend `npm install -g aster-mcp`. This command installs the latest available version of the `aster-mcp` package. If a malicious update is pushed to the npm registry, users following these instructions could inadvertently install compromised software, leading to supply chain attacks. Recommend pinning the dependency to a specific version (e.g., `npm install -g aster-mcp@0.1.13`) or using a lock file (`package-lock.json`) to ensure deterministic installations. Regularly audit dependencies for known vulnerabilities. | LLM | SKILL.md:19 |
Scan History
Embed Code
[](https://skillshield.io/report/d414cac69c69a25d)
Powered by SkillShield