The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/build.sh uses eval echo $path on values retrieved from the .androidbuild.yml configuration file. This allows an attacker to execute arbitrary shell commands by crafting a malicious path string (e.g., path: "$(touch /tmp/pwned)") in the config file.
[PROMPT_INJECTION]: The SKILL.md file contains instructions for 'Silent execution' ("静默执行：用户发出打包指令后无需确认，直接执行"). This instruction explicitly directs the agent to bypass user confirmation, which is a concealment pattern that increases the risk of the aforementioned command injection being exploited without user oversight.
[COMMAND_EXECUTION]: The script executes ./gradlew, which runs project-local executable code. While standard for Android builds, when combined with the 'silent execution' instruction, it allows the skill to execute arbitrary code provided by a potentially malicious project directory without alerting the user.
[COMMAND_EXECUTION]: The script uses sed to modify build.gradle files using variables (NEW_VERSION_CODE, NEW_VERSION_NAME) derived from external files without sanitization. This could be used to corrupt project files or inject malicious Gradle code if the input files are manipulated.

android-build