appfunctions
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous ADB shell commands (e.g.,
adb shell cmd app_function list-app-functions,adb shell cmd app_function execute-app-function) to interact with the Android system's AppFunction service. These are used for listing registered functions and triggering execution for testing purposes on connected devices. - [EXTERNAL_DOWNLOADS]: The implementation guide references official Android Jetpack libraries (
androidx.appfunctions,androidx.appfunctions.service,androidx.appfunctions.compiler) to be fetched from Google's official Maven repository during the project build process. - [PROMPT_INJECTION]: The skill instructions in
references/adb-interaction-testing.mdrequire the agent to follow instructions contained within the metadata descriptions of AppFunctions discovered at runtime. This creates a surface for indirect prompt injection. - Ingestion points: Data returned from
adb shell cmd app_function list-app-functions, specifically thedescriptionfield (File:references/adb-interaction-testing.md). - Boundary markers: No explicit delimiter or instruction-filtering markers are specified for the dynamic metadata content.
- Capability inventory: The agent has capabilities to execute AppFunctions and modify their state via ADB (
adb shell cmd app_function execute-app-function,adb shell cmd app_function set-enabled). - Sanitization: The skill includes a 'Security' constraint in
SKILL.mdandreferences/implementation-configuration.mdinstructing the agent not to expose sensitive data or perform irreversible destructive actions without confirmation, providing a policy-based mitigation.
Audit Metadata