Oathe Security Badge

Is new-silvermoon/awesome-android-agent-skills safe?

https://github.com/new-silvermoon/awesome-android-agent-skills/

89
SAFE

This repository is a legitimate collection of 17 Android development best-practice skills covering Jetpack Compose, Kotlin Coroutines, Retrofit, Clean Architecture, and testing patterns. No prompt injection, persona manipulation, or hidden instructions were found in any SKILL.md file, and no auto-executing install hooks exist. The primary area of concern is the android-emulator-skill's bundled ADB automation scripts, which provide real device control capabilities (UI navigation, log capture, app launch) that could be misused if the agent operates in a compromised context or has an ADB-accessible device present.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (4)

MEDIUM Executable ADB automation scripts bundled in repo -17

Nine Python scripts and two shell scripts are included for Android emulator control (app launch, UI navigation, log monitoring, gesture input). These are not auto-executed on clone but are explicitly invoked by the agent. In a sandboxed Android testing environment this is legitimate; in a production workstation context, the log_monitor and navigator scripts could capture or interact with sensitive device data if misused.

LOW Canary files read during monitoring lifecycle (pre-clone and teardown) -7

Honeypot credential files were opened and read during the audit session. Timing analysis places the earliest accesses at epoch 1782518438, approximately 6 seconds before git clone at 1782518444, attributing them to the monitoring system initialization. The post-install accesses at 1782518460 correspond to the audit integrity sweep. All files were CLOSE_NOWRITE. The skill content contains no mechanism to access these files.

LOW Emulator scripts provide device control surface if ADB is available -12

The bundled automation scripts give an active agent the capability to launch apps, navigate UI, type text, and capture logs on any connected Android device/emulator. While the skill documentation does not direct malicious use, these capabilities represent an expanded attack surface if the skill were combined with a malicious prompt injection from another source.

INFO Normal GitHub clone with expected network profile -7

Single outbound HTTPS connection to GitHub (140.82.121.3:443) for shallow clone. No unexpected DNS queries, no connections to attacker infrastructure, no new persistent listeners after install.