skills/android/skills/appfunctions/Gen Agent Trust Hub

appfunctions

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides numerous ADB shell commands (e.g., adb shell cmd app_function list-app-functions, adb shell cmd app_function execute-app-function) to interact with the Android system's AppFunction service. These are used for listing registered functions and triggering execution for testing purposes on connected devices.
  • [EXTERNAL_DOWNLOADS]: The implementation guide references official Android Jetpack libraries (androidx.appfunctions, androidx.appfunctions.service, androidx.appfunctions.compiler) to be fetched from Google's official Maven repository during the project build process.
  • [PROMPT_INJECTION]: The skill instructions in references/adb-interaction-testing.md require the agent to follow instructions contained within the metadata descriptions of AppFunctions discovered at runtime. This creates a surface for indirect prompt injection.
  • Ingestion points: Data returned from adb shell cmd app_function list-app-functions, specifically the description field (File: references/adb-interaction-testing.md).
  • Boundary markers: No explicit delimiter or instruction-filtering markers are specified for the dynamic metadata content.
  • Capability inventory: The agent has capabilities to execute AppFunctions and modify their state via ADB (adb shell cmd app_function execute-app-function, adb shell cmd app_function set-enabled).
  • Sanitization: The skill includes a 'Security' constraint in SKILL.md and references/implementation-configuration.md instructing the agent not to expose sensitive data or perform irreversible destructive actions without confirmation, providing a policy-based mitigation.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 02:50 AM
Security Audit — agent-trust-hub — appfunctions