The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The android update --url=PARAM command allows the agent to download and execute updates from any provided URL. This is a direct vector for remote code execution if an attacker provides a URL pointing to a malicious binary.
[EXTERNAL_DOWNLOADS]: The android skills add command allows the installation of new agent skills. If used with untrusted sources, this can lead to the persistence of malicious logic within the agent's environment.
[PROMPT_INJECTION]: The skill implements a 'Journey' testing framework in references/journeys.md that processes XML-formatted test cases. The instructions explicitly command the agent to 'Execute each step EXACTLY as written, and independently of other steps' and to do so 'even if you believe you know the intent behind the action.' This effectively instructs the agent to bypass its own judgment, making it highly susceptible to indirect prompt injection via malicious XML journey files.
[COMMAND_EXECUTION]: The skill frequently uses adb shell input and pipes output from android screen resolve directly into shell commands. While intended for automation, this dynamic assembly of shell commands presents a risk of command injection if the input strings or resolution results are manipulated.
[DATA_EXFILTRATION]: The android layout and android screenshot commands capture the full UI state and visual screen of the connected device. This includes sensitive information such as text fields, accessibility labels, and visual content, which could be exposed or exfiltrated if the agent is directed to send this data to external endpoints.

android-cli