The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill documentation describes the android update --url=PARAM command, which allows the tool to download and install updates from a user-provided or agent-provided URL. This bypasses standard update mechanisms and introduces a risk of downloading malicious binaries.
[REMOTE_CODE_EXECUTION]: The android update and android skills add commands facilitate the installation of new executable content or the modification of existing CLI binaries. If an attacker influences the source URL or the skill being added, they could achieve remote code execution on the host environment.
[COMMAND_EXECUTION]: The skill is centered around executing various subcommands of the android CLI tool, including project creation, emulator management, and SDK manipulation. While these are primary functions, they represent a significant capability surface for an agent.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface in the following areas:
Ingestion points: android docs search/fetch (retrieves external documentation), android layout (parses UI trees), and android describe (analyzes project files).
Boundary markers: None identified in the documentation for separating untrusted data from instructions.
Capability inventory: The agent can execute shell commands, perform network fetches via docs, and write to files via screenshot or layout output.
Sanitization: No explicit sanitization or validation of the fetched documentation or layout data is mentioned, potentially allowing embedded instructions in these data sources to influence the agent's next steps.

base